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Abstract. Modem large-scale distributed systems often rely on eventually con¬ 
sistent replicated stores, which achieve scalability in exchange for providing weak 
semantic guarantees. To compensate for this weakness, researchers have pro¬ 
posed various abstractions for programming on eventual consistency, such as 
replicated data types for resolving conflicting updates at different replicas and 
weak forms of transactions for maintaining relationships among objects. How¬ 
ever, the subtle semantics of these abstractions makes using them correctly far 
from trivial. 

To address this challenge, we propose composite replicated data types, which for¬ 
malise a common way of organising applications on top of eventually consistent 
stores. Similarly to a class or an abstract data type, a composite data type en¬ 
capsulates objects of replicated data types and operations used to access them, 
implemented using transactions. We develop a method for reasoning about pro¬ 
grams with composite data types that reflects their modularity: the method allows 
abstracting away the internals of composite data type implementations when rea¬ 
soning about their clients. We express the method as a denotational semantics for 
a programming language with composite data types. We demonstrate the effec¬ 
tiveness of our semantics by applying it to verify subtle data type examples and 
prove that it is sound and complete with respect to a standard non-compositional 
semantics. 

1 Introduction 

Background. To achieve availability and scalability, many modern networked sys¬ 
tems use replicated stores, which maintain multiple replicas of shared data. Clients can 
access the data at any of the replicas, and these replicas communicate changes to each 
other using message passing. For example, large-scale Internet services use data replicas 
in geographically distinct locations, and applications for mobile devices keep replicas 
locally as well as in the cloud to support offline use. Ideally, we would like replicated 
stores to provide strong consistency, i.e., to behave as if a single centralised replica 
handles all operations. However, achieving this ideal usually requires synchronisation 
among replicas, which slows down the store and even makes it unavailable if network 
connections between replicas fail [13,2], For this reason, modern replicated stores often 
provide weaker guarantees, described by the umbrella term of eventual consistency [4], 
Eventually consistent stores adopt an architecture where a replica performs an oper¬ 
ation requested by a client locally without any synchronisation with others and imme¬ 
diately returns to the client; the effects of the operation are propagated to other replicas 
only eventually. As a result, different replicas may find out about an operation at differ¬ 
ent points in time. This leads to anomalies, one of which is illustrated by the outcome 




Fig. 1. Anomalies illustrating the semantics of causal consistency and causally consistent trans¬ 
actions. The outcomes of operations are shown in comments. The variables v and w are local to 
clients. The structures shown on the right are explained in §3.2. 
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in Figure 1(a). The program shown there consists of two clients operating on set ob¬ 
jects friends[a] and wall [a], which represent information about a user a in a social 
network application. The first client, connected to replica 1, makes b a friend of a’s 
and then posts V s message on a’s wall. After each of these operations, replica 1 might 
send a message with an update to replica 2. If the messages carrying the additions of b 
to friends[a ] and post to wall[a] arrive at replica 2 out of order, the second client can 
see 6’s post, but does not know that b has become a’s friend. This outcome cannot be 
produced by any interleaving of the operations shown in Figure 1(a) and, hence, is not 
strongly consistent. 

The consistency model of a replicated store restricts the anomalies that it exhibits. 
In this paper, we consider the popular model of causal consistency [17], a variant of 
eventual consistency that strikes a reasonable balance between programmability and 
efficiency. A causally consistent store disallows the anomaly in Figure 1(a), because it 
respects causal dependencies between operations: if the programmer sees 6’s post to a’s 
wall, she is also guaranteed to see all events that led to this posting, such as the addition 
of b to the set of a’s friends. Causal consistency is weaker than strong consistency; in 
particular, it allows reading stale data. This is illustrated by the outcome in Figure 1(b), 
which cannot be produced by any interleaving of the operations shown. In a causally 
consistent store it may be produced because each message about an addition sent by the 
replica performing it may be slow to get to the other replica. 

Due to such subtle semantics, writing correct applications on top of eventually con¬ 
sistent stores is very difficult. In fact, finding a good programming model for eventual 
consistency is considered one of the major research challenges in the systems commu¬ 
nity [4], We build on two programming abstractions proposed by researchers to address 
this challenge, which we now describe. 

One difficulty of programming for eventually consistent stores is that their clients 
can concurrently issue conflicting operations on the same data item at different replicas. 
For example, spouses sharing a shopping cart in an online store can add and concur- 






rently remove the same item. To deal with these situations, eventually consistent stores 
provide replicated data types [22] that implement objects, such as registers, counters 
or sets, with various strategies for resolving conflicting updates to them. The strategies 
can be as simple as establishing a total order on all operations using timestamps and 
letting the last writer win, but can also be much more subtle. For example, a set data 
type, which can be used to implement a shopping cart, can process concurrent oper¬ 
ations trying to add and concurrently remove the same element so that ultimately the 
element ends up in the set. 

Another programming abstraction that eventually consistent stores are starting to 
provide is transactions, which make it easier to maintain relationships among different 
objects. In this paper we focus on causally consistent transactions, implemented (with 
slight variations) by a number of stores [25,17,18,23,16,1,3]. When a causally con¬ 
sistent transaction performs several updates at a replica, we are guaranteed that these 
will be delivered to every other replica together. For example, consider the execution 
in Figure 1(c), where at replica 1 two users befriend each other by adding their iden¬ 
tifiers to set objects in the array friends. If we did not use transactions, the outcome 
shown would be allowed by causal consistency, as replica 2 might receive the addition 
of b to friends [a], but not that of a to friends[b]. This would break the expected invari¬ 
ant that the friendship relation encoded by friends is symmetric. Causally consistent 
transactions disallow this anomaly, but nevertheless provide weaker guarantees than 
the classical serialisable ACID transactions. The latter guarantee that operations done 
within a transaction can be viewed as taking effect instantaneously at all replicas. With 
causally consistent transactions, even though each separate replica sees updates done by 
a transaction together, different replicas may see them at different times. For example, 
the outcome in Figure 1(b) could occur even if we executed the pair of commands at 
each replica in a transaction, again because of delays in message delivery. 

A typical way of using replicated data types and transactions for writing applications 
on top of an eventually consistent store is to keep the application data as a set of objects 
of replicated data types, and update them using transactions over these objects [25,23, 
16,1]. Then replicated data types ensure sensible conflict resolution, and transactions 
ensure the maintenance of relationships among objects. However, due to the subtle se¬ 
mantics of these abstractions, reasoning about the behaviour of applications organised 
in this way is far from trivial. For example, it is often difficult to trace how the choice 
of conflict-resolution policies on separate objects affects the policy for the whole appli¬ 
cation: as we show in §5, a wrong choice can lead to violations of integrity invariants 
across objects, resulting in undesirable behaviour. 

Contributions. To address this challenge, we propose a new programming concept 
of a composite replicated data type that formalises the above way of organising appli¬ 
cations using eventually consistent stores. Similarly to a class or an abstract data type, a 
composite replicated data type encapsulates constituent objects of replicated data types 
and composite operations used to access them, each implemented using a transaction. 
For example, a composite data type representing the friendship relation in a social net¬ 
work may consist of a number of set objects storing the friends of each user, with 
transactions used to keep the relation symmetric. Composite data types can also capture 




the modular structure of applications, since we can construct complex data types from 
simpler ones in a nested fashion. 

We further propose a method for reasoning about programs with composite data 
types that reflects their modularity: the method allows one to abstract from the internals 
of composite data type implementations when reasoning about the clients of these data 
types. Technically, we express our reasoning method as a denotational semantics for a 
programming language that allows defining composite data types (§4). As any denota¬ 
tional semantics, ours is compositional and is thus able to give a denotation to every 
composite data type separately. This denotation abstracts from the internal data type 
structure using what we term granularity abstraction: it does not record fine-grained 
events describing operations on the constituent objects that are performed by compos¬ 
ite operations, but represents every invocation of a composite operation by a single 
coarse-grained event. Thereby, the denotation allows us to pretend that the compos¬ 
ite data type represents a single monolithic object, no different from an object of a 
primitive data type implemented natively by the store. The denotation then describes 
the data type behaviour using a mechanism recently proposed for specifying primitive 
replicated data types [10]. The granularity abstraction achieved by this coarse-grained 
denotational semantics is similar (but not identical, as we discuss in §7) to atomicity 
abstraction, which has been extensively investigated in the context of shared-memory 
concurrency [12,24], 

Our coarse-grained semantics enables modular reasoning about programs with com¬ 
posite replicated data types. Namely, it allows us to prove a property of a program by: ( i) 
computing the denotations of the composite data types used in it; and (ii) proving that 
the program satisfies the property assuming that it uses primitive replicated data types 
with the specifications equal to the denotations of the composite ones. We thus never 
have to reason about composite data type implementations and their clients together. 

Since we use an existing specification mechanism [10] to represent a composite 
data type denotation, our technical contribution lies in identifying which specification 
to pick. We show that the choice we make is correct by proving that our coarse-grained 
semantics is sound with respect to a fine-grained semantics of the programming lan¬ 
guage (§6), which records the internal execution of composite operations and follows 
the standard way of defining language semantics on weak consistency models [10,6]. 
We also establish that the coarse-grained semantics is complete with respect to the fine¬ 
grained one: we do not lose precision by reasoning with denotations of composite data 
types instead of their implementations. The soundness and completeness results also 
imply that our coarse-grained denotational semantics is adequate, i.e., can be used for 
proving the observational equivalence of two composite data type implementations. 

We demonstrate the usefulness of the coarse-grained semantics by applying the 
composite data type denotation it defines to specify and verify small but subtle data 
types, such as a social graph (§5). In particular, we show how our semantics lets one 
understand the consequences of different design decisions in the implementation of a 
composite data type on its behaviour. 

Technical challenges. Coming up with a composite data type denotation that would 
be sound and complete with respect to the standard fine-grained semantics is far from 
straightforward. The reason is that the semantics of causally consistent transactions is 



inherently non-compositional, as is common for weak consistency models. It is de¬ 
fined by so-called consistency axioms—global constraints on certain structures over 
events and relations that represent all events occurring in a store execution [11,10,9] 
(§3). Then proving the soundness of our coarse-grained semantics requires us to show 
that an execution in the fine-grained semantics can be transformed by collapsing fine¬ 
grained events inside each composite operation into a single coarse-grained event while 
preserving the validity of the consistency axioms. This is delicate: e.g., merging two 
vertices in a DAG can create a cycle. Our main contribution is to craft the denotation 
of a composite data type so that such problems do not arise. The subtle semantics of 
causally consistent transactions also makes the proofs of soundness and completeness 
of the resulting denotational semantics highly nontrivial. 

2 Programming language and composite replicated data types 

Store data model. We consider a replicated store organised as a collection of prim¬ 
itive objects. Clients interact with the store by invoking operations on objects from 
a set Op, ranged over by o. Every object in the store belongs to one of the primitive 
replicated data types B £ PrimType, implemented by the store natively. The signature 
sig(-B) C Op determines the set of operations allowed on objects of the type B. As 
we explain in §3, the data type also determines the semantics of the operations and, 
in particular, the conflict-resolution policies implemented by them. For uniformity of 
definitions, we assume that each operation takes a single parameter and returns a single 
value from a set of values Val, whose elements are ranged over by a, b, c, d. We assume 
that Val includes at least Booleans and integers, their sets and tuples thereof. We use a 
special value _L £ Val to model operations that take no parameter or return no value. For 
example, primitive data types can include sets with operations add, remove, contains 
and get (the latter returning the set contents). 

Composite replicated data types. We develop our results for a language of client 
programs interacting with the replicated store, whose syntax we show in Figure 2. We 
consider only programs well-typed according to the rules also shown in the figure. 
The interface to the store provided by the language is typical of existing implemen¬ 
tations [25,1], It allows programs to declare objects of primitive replicated data types, 
residing in the store, invoke operations on them, and combine these into transactions. 
Crucially, the language also allows declaring composite replicated data types from the 
given primitive ones and composite objects of these types. These composite objects 
do not actually reside in the store, but serve as client-side anchors for compositions of 
primitive objects. A declaration D of a composite data type includes several constituent 
objects of specified types Tj, which can be primitive types, composite data type decla¬ 
rations or data-type variables a £ DVar, bound to either. The constituent objects are 
bound to distinct object variables x ,, j = 1 ..to from a set OVar. The declaration D 
also defines a set of composite operations O (the type’s signature), with each o £ O 
implemented by a command C Q executed as a transaction accessing the objects x :i . We 
emphasise the use of transactions by wrapping C a into an atomic block. Since a store 
implementation executes a transaction at a replica without synchronising with other 
replicas, transactions never abort. 



Fig. 2. Programming language and sample typing rules. 
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The syntax of commands includes the form var v. G for declaring ordinary vari¬ 
ables v,w £ Var, to be used by C, which store values from Val and are initialised to 
_L. Commands C 0 in composite data type declarations D can additionally access two 
distinguished ordinary variables and u ou t (never declared explicitly), used to pass 
parameters and return values of operations: the parameter gets assigned to ti m at the 
beginning of the execution of C 0 and the return value is read from u out at the end. The 
command v = x.o(G) executes the operation o on the object bound to the variable x 
with parameter G and assigns the result to v. 1 

Our type system enforces that commands only invoke operations on objects consis¬ 
tent with the signatures of their types and that all variables be used within the correct 
scope; in particular, constituent objects of composite types can only be accessed by their 
composite operations. For simplicity, we do not adopt a similar type discipline for val¬ 
ues and treat all expressions as untyped. Finally, for convenience of future definitions, 
the typing rule for v = x.o(G) requires that v- m and u ou t do not appear in v or G. 
Example: social graph. Figure 3 gives our running example of a composite data 
type soc, which maintains friendship relationships and requests between accounts in 
a toy social network application. To concentrate on core issues of composite data type 
correctness, we consider a language that does not allow creating unboundedly many 
objects; hence, we assume a fixed number of accounts N. Using syntactic sugar, the 

1 Since the object bound to x may itself be composite, this may result in atomic blocks being 
nested. Their semantics is the same as the one obtained by discarding all blocks except the 
top-level one. In particular, the atomic blocks that we include into the syntax of commands 
have no effect inside operations of composite data types. 






Fig. 3. A social graph data type soc. 

-Dsoc = let { friends = new EWset[JV]; requesters = new RWset[JV] } in { 
request (from, to) = atomic { 

if ( friends[to\.conta.ins(from ) V requesters[fo].contains(./rom)) then v ou t = false 
else { requesters[to].a.dd(from)-, v ou t = true } }; 
accept (from, to) = atomic { 

if (-ire 5 «esfers[fo].contaiiis(/rom)) then t ou t = false 
else { requesters[to].iemove(from); requesters\from].r:emo-ve(to); 
friends[to].a.dd(from);friends\from].a.dd(to); t ou t = true } }; 
reject (from, to) = atomic { 

if (-ire?Mesfers[to].contains(/rom)) then t ou t = false 

else { requesters[to].remove(from); requesters\from].Temove(to)-, tout = true } }; 
breakup(/rom, to) = atomic { 

if (-1 friends[to].conta.ins(from )) then t ou t = false 

else { friends[to\.Temove(from)-,friends[from\.Temove(to)-, t ou t = true } }; 
get(id) = atomic {t ou t = (./Wends [id].get, requesters [id] .get) } } 


constituent objects are grouped into arrays friends and requesters and have the type 
RWset of sets with a particular conflict-resolution policy (defined in §3.1). We use these 
sets to store account identifiers: friends [a] gives the set of a’s friends, and requesters [a] 
the set of accounts with pending friendship requests to a. The implementation maintains 
the expected integrity invariants that the friendship relation is symmetric and the friend 
and requester sets of any account are disjoint: 

Vo, b. /neods[o].contains(6) /uends[6].contains(a); (1) 

Va. friends [a] .get n requesters [a] .get = 0. (2) 

The composite operations allow issuing a friendship request, accepting or rejecting 
it, breaking up and getting the information about a given account. For readability, we 
use some further syntactic sugar in the operations. Thus, we replace v m with more de¬ 
scriptive names, recorded after the operation name and, in the case when the parameter 
is meant to be a tuple, introduce separate names for its components. Thus, from and to 
desugar to fst(ui n ) and snd(vi„). We also allow invoking operations on objects inside 
expressions and omit unimportant parameters to operations. 

The code of the composite operations is mostly as expected. For example, request 
adds the user sending the request to the requester set of the user being asked, after 
checking, e.g., that the former is not already a friend of the latter. However, this sim¬ 
plicity is deceptive: when reasoning about the behaviour of the data type, we need to 
consider the possibility of operations being issued concurrently at different replicas. 
For example, what happens if two users concurrently issue friendship requests to each 
other? What if two users managing the same institutional account take conflicting de¬ 
cisions, such as concurrently accepting and rejecting a request? As we argue in §5, it 
is nontrivial to implement the data type so that the behaviour in the above situations be 



acceptable. Using the results in this paper, we can specify the desired social graph be¬ 
haviour and prove that the composite data type in Figure 3 satisfies such a specification. 
Our specification abstracts from the internal structure of the data type, thereby allowing 
us to view it as no different from the primitive set data types it is constructed from. This 
facilitates reasoning about programs using the data type, which we describe next. 

Programs. A program P consists of a series of data type and object variable decla¬ 
rations followed by a client. The latter consists of several commands C \,..., C n , each 
representing a user session accessing the store concurrently with others; a session is 
thus an analogue of a thread in shared-memory languages. An implementation would 
connect each session to one of the store replicas (as in examples in Figure 1), but this is 
transparent on the language level. Data type variables declared in P are used to specify 
the types of objects declared afterwards, and object variables are used inside sessions 
Cj, as per the typing rules. Sessions can thus invoke operations on a number of objects 
of primitive or composite types. By default, every such operation is executed within a 
dedicated transaction. However, like in composite data type implementations, we allow 
sessions to group multiple operations into transactions using atomic blocks included 
into the syntax of commands. We consider data types T and programs P up to the 
standard alpha-equivalence, adjusted so that v m and u ou t are not renamed. 

Technical restriction. To simplify definitions, we assume that commands inside 
atomic blocks always terminate and, thus, so do all operations of composite data types. 
We formalise this restriction when presenting the semantics of the language in §4. It can 
be lifted at the expense of complicating the presentation. Note that the sessions Cj do 
not have to terminate, thereby allowing us to model the reactive nature of store clients. 

3 Replicated store semantics 

A replicated store holds objects of primitive replicated data types and implements op¬ 
erations on these objects. The language of §2 allows us to write programs that interact 
with the store by invoking the operations while grouping primitive objects into com¬ 
posite ones to achieve modularity. The main contribution of this paper is a denotational 
semantics of the language that allows the reasoning about a program to reflect this 
modularity. But before presenting it (in §4), we need to define the semantics of the 
store itself: which values can operations on primitive objects return in an execution of 
the store? This is determined by the consistency model of causally consistent transac¬ 
tions [25,17,18,23,16,11,3], which we informally described in § 1. To formalise it, we 
use a variant of the framework proposed by Burckhardt et al. [10,11,9], which defines 
the store semantics declaratively, without referring to implementation-level concepts 
such as replicas or messages. The framework models store executions using structures 
on events and relations in the style of weak memory models and allows us to define 
the semantics of the store in two stages. We first specify the semantics of single oper¬ 
ations on primitive objects using replicated data type specifications (§3.1), which are 
certain functions on events and relations. We then specify allowed executions of the 
store, including multiple operations on different objects, by constraining the events and 
relations using consistency axioms (§3.2). 



A correspondence between the declarative store specification and operational mod¬ 
els closer to implementations was established elsewhere [10,11,9]. Although we do 
not present an operational model in this paper, we often explain various features of the 
store specification framework by referring to the implementation-level concepts they 
are meant to model. 

The granularity abstraction of the denotational semantics we define in §4 allows 
us to pretend that a composite data type is a primitive one. Hence, when defining the 
semantics, we reuse the replicated data type specifications introduced here to specify 
the behaviour of a composite data type, such as the one in Figure 3, while abstracting 
from the internals of its implementation. 


3.1 Semantics of primitive replicated data types 

In a strongly consistent system, there is a total order on all operations on an object, and 
each operation takes into account the effects of all operations preceding it in this order. 
In an eventually consistent system, the result of an operation o is determined in a more 
complex way: 

1. The result of o depends on the set of operations information about which has 
been delivered to the replica performing o —those visible to o. For example, in 
Figure 1(a) the operation friends[a\. get returns 0 because the message about 
friends [a], add (6) has not yet been delivered to the replica performing the get. 

2. The result of o may also depend on additional information used to order some 
events. For example, we may decide to order concurrent updates to an object using 
timestamps, as is the case when we use the last-writer-wins conflicts resolution 
policy mentioned in § 1. 

Hence, we specify the semantics of a replicated data type by a function F that computes 
the return value of an operation o given its operation context , which includes all we need 
to know about the store execution to determine the value: the set of events visible to o, 
together with a pair of relations on them that specify the above relationships. 

Assume a countably-infinite set Event of events , representing operations issued to 
the store. A relation is a strict partial order if it is transitive and irreflexive. A total 
order is a strict partial order such that for every two distinct elements e and /, the order 
relates e to / or / to e. We call a pair p €* Op x Val = AOp of an operation o together 
with its parameter a an applied operation, written as o(o). 

Definition 1 An operation context is a tuple N = (p, E, aop, vis, ar), where p € 
AOp, E is a finite subset of Event, aop : E —> AOp, and vis (visibility) and ar (arbitra¬ 
tion) are strict partial orders on E such that vis C ar. 

We call the tuple M = (E. aop, vis, ar) a partial operation context. 

We write Ctxt for the set of all operation contexts and denote components of N and 
similar structures as in N.E. For a relation R we write (e, /) 6 R and e —> f inter¬ 
changeably. Informally, the orders vis and ar record the relationships between events in 
E motivated by the above points 1 and 2, respectively. In implementation terms, the re¬ 
quirement vis C ar guarantees that timestamps are consistent with message delivery: if 



e is visible to /, then e has a lower timestamp than /. We define where vis and ar come 
from formally in §3.2; for now we just assume that they are given and define replicated 
data type specifications as certain functions of operation contexts including them. 
Definition 2 A replicated data type specification is a partial function F : Ctxt 
Val that returns the same value on isomorphic operation contexts and preserves it on 
arbitration extensions. Formally, let us order operation contexts by the pre-order C; 

(p, E, aop, vis, ar) C (p', E', aop', vis', ar') <t=> 

p = p' A 37t £ E —>-bijective E'. 7r(aop) = aop' A 7r(vis) = vis' A 7r(ar) C ar', 
where we use the expected lifting of x to relations. Then we require 
\/N, N’ £ Ctxt. N C N' A N £ dom(F) =► N’ £ dom(F) A F(N) = F(N'). (3) 

Let Spec be the set of data type specifications F and assume a fixed Fb for every prim¬ 
itive type B £ PrimType provided by the store. The requirement (3) states that, once 
arbitration gives all the information that is needed in addition to visibility to determine 
the outcome of an operation, arbitrating more events does not change this outcome. 
Replicated sets. We illustrate the above definitions by specifying replicated set data 
types with different conflict-resolution policies. The semantics of a replicated set is 
straightforward when it is add-only, i.e., its signature is {add, contains, get}. An 
element a is in the set if there is an add(a) event in the context, or informally, if the 
replica performing contains(a) has received a message about the addition of a: 

■Fju)«*t(contains(a), E, aop, vis,ar) = (3e £ E. aop(e) = add(a)). 

We define the result to be _L for add operations and define the result of get as expected. 2 

Things become more subtle if we allow removing elements, since we need to define 
the outcome of concurrent operations adding and removing the same element, as in 
the context N = (contains(42), {e, /}, aop, vis, ar), where aop(e) = add(42) and 
aop(/) = remove(42). There are several possible ways of resolving this conflict [7]: in 
add-wins sets (AWset) adds always win against concurrent removes (so that the element 
ends up in the set), remove-wins sets (RWset) act vice versa, and last-writer-wins sets 
(LWWset) apply operations in the order of their timestamps. We specify the result of 
contains in these cases using the vis and ar orders in the operation context: 

F A wset( contains (a), E, aop, vis, ar) = 

3e £ E. aop(e) = add(a) A (V/ € E. aop(/) = remove(a) =f> ~<(e -5% /)); 
-pRWset(contains(a), E, aop, vis, ar) = 

3e £ E. aop(e) = add(a) A (V/ g E. aop(/) = remove(a) => / —A e); 
F LW wset(contains(a), E, aop, vis, ar) = 

3e g E. aop(e) = add(a) A (V/ £ E. aop(/) = remove(a) => / e), 

if ar is total on {e £ E \ aop(e) £ (add(_), remove (-)}}; 

^Lwwset (contains(a), E, aop, vis, ar) = undefined, otherwise. 

2 Aso S et is undefined on contexts with operations other than those from the signature. The type 
system of our ianguage ensures that such contexts do not arise in its semantics. 





Thus, the add-wins semantics is formalised by mandating that remove operations cancel 
only the add operations that are visible to them; the remove-wins semantics additionally 
mandates that they cancel concurrent add operations, but not those that follow them 
in visibility. On the above context N, the operation contains(42) returns true iff: 
-i(e -^4 /) for AWset; / e for RWset; and / -4- e for LWWset. As we show in §5, 
using a remove-wins set for requesters in Figure 3 is crucial for preserving the integrity 
invariant (2); friends could well be add-wins, which would lead to different, but also 
sensible, data type behaviour. 

3.2 Whole-store semantics 

We define the semantics of a causally consistent store by the set of its histories, which 
are certain structures on events recording all client-store interactions that can be pro¬ 
duced during a run of the store; these include operations invoked on all objects and their 
return values. The store has no control over the operations occurring in histories, since 
these are chosen by the client; hence, the semantics only constrains return values. Repli¬ 
cated data type specifications define return values of operations in terms of visibility and 
arbitration, but where do these orders come from? As we explained in §3.1, intuitively, 
they are determined by the way messages are delivered and timestamps assigned in a 
run of a store implementation. Since this highly non-deterministic, in general, visibility 
and arbitration orders are arbitrary, but not entirely. A causally consistent store provides 
to its clients a guarantee that these orders in the contexts of different operations in the 
same run are related in certain ways, and this guarantee disallows anomalies such as the 
one in Figure 1(a). 

We formalise the guarantee using the notion of an execution, which extends a history 
with visibility and arbitration orders on its events. A history is allowed by the store 
semantics if there is a way to extend it to an execution such that: (i) the return values of 
operations in the execution are obtained by applying replicated data type specifications 
to contexts extracted from it; and (ii) the execution satisfies certain consistency axioms, 
which constrain visibility and arbitration and, therefore, operation contexts. 

Histories, executions and the satisfaction of data type specifications. We identify 
objects (primitive or composite) by elements of the set Obj, ranged over by c o. A strict 
partial order R is prefix-finite if {/ | (/, e) £ R} is finite for every e. 

Definition 3 A history is a tuple H = ( E , label, so, ~), where: 

-EC Event. 

- label : E —> Obj x AOp x Val describes the events in E: if label(e) = (cc,p, a), 
then the event e describes the applied operation p on the object co returning the 
value a. 

- so C Ex E is a session order, ordering events in the same session according to 
the order in which they were submitted to the store. We require that so be prefix- 
finite and be the union of finitely many total orders defined on disjoint subsets ofE, 
which correspond to events in different sessions. 

- ~ c E x E is an equivalence relation grouping events in the same transaction. 
Since all transactions terminate (§2), we require that every equivalence class of ~ 



be a finite set. Since every transaction is performed by a single session, we require 
that any two distinct events by the same transaction be related by so one way or 
another: 

Ve, /. e ~ / A e ^ f => e / V / e. 

We also require that a transaction be contiguous in so: 

Ve, /, g. e 5 A e ~ g => e ~ / ~ 5. 

An execution is a triple X = (H, vis. ar) of a history H and prefix-finite strict 
partial orders vis and ar on H.E, such that vis U ar C {(e, /) | H. obj(e) = H.ob](f)} 
and vis C ar. 

We denote the sets of all histories and executions by Hist and Exec. We write H. obj(e), 
.ff.aop(e) and H. rval(e) for the components of ff.label(e) and shorten, e.g., X.H.so 
to X.so. Note that the set H.E can be infinite, which models infinite runs. Figure 1(a) 
graphically represents an execution corresponding to the causality violation anomaly 
explained in §1. The relation ~ is an identity in this case, and the objects in this and 
other executions in Figure 1 are add-only sets (AOset, §3.1). 

Given an execution X, we extract the operation context of an event e e X.E by 
selecting all events visible to it according to X.vis: 

ctxt(Xe) = (X.aop(e), J E,(X.aop)| B ,(Xvis)| E ,(Xar)| B ), (4) 

where E = (X. vis)" 1 (e) and j k is the restriction to events in E. Then, given a function 
F : Obj ■-* Spec that associates data type specifications with some objects, we say that 
an execution X satisfies F if the return value of every event in X is computed on its 
context according to the specification that F gives for the accessed object. 

Definition 4 An execution X satisfies F, written X \= F, if 
Ve e X.E.(X. obj(e) e dom(F) =► X.rval(e) = F(X.obj(e))(ctxt(X,e))). 

Since a context does not include return values, the above equation determines them 
uniquely for the events e satisfying the premise. For example, in the execution in Fig¬ 
ure 1(a) the context of the get from Wf a is empty. Hence, to satisfy F = (Aw. F AOset ), 
the get returns 0. If we had a vis edge from the add(6) to the get, then the latter would 
have to return {6}. 

Consistency axioms. We now formulate additional constraints that executions have 
to satisfy. They restrict the anomalies allowed by the consistency model we consider 
and, in particular, rule out the execution in Figure 1(a). 

To define the semantics of transactions, we use the following operation. For a rela¬ 
tion R on a set of events E and an equivalence relation ~ on E (meant to group events 
in the same transaction), we define the factoring _R/~ of R over ~ as follows: 

R/~ = (5) 

where ; composes relations. Thus, i?/~ includes all edges from R and those obtained 
from such edges by relating any actions coming from the same transactions as their 
endpoints, excluding the case when the endpoints themselves are from the same trans¬ 
action. We also let sameobj(X)(e, /) <*=> X.obj(e) = X.obj(/). 



Definition 5 An execution X = (fE, label, so, ~), vis, ar) is causally consistent if it 
satisfies the following consistency axioms: 

CausalVis. ((so U vis)/~) | n sameobj(.Y) C vis; 

CausalAr. (so U ar)/~ is acyclic; 

Eventual. Ve e E. \{f e E \ sameobj(A:)(e,/) A ->(e /)}| < oo. 

We write X |=cc F if X \= F and X is causally consistent. 

The axioms follow the informal description of the consistency model we gave in §1. 
We explain them below; however, their details are not crucial for understanding the rest 
of the paper. Before explaining the axioms, we note that Definitions 4 and 5 allow us to 
define the semantics of a store with object specifications given by F : Obj —*■ Spec as 
the set of histories that can be extended to a causally consistent execution satisfying F: 

HistCC(F) = {H | 3vis, ar. (H, vis, ar) |= cc F}. (6) 

To prove that a particular store implementation satisfies this specification, for every 
history H the implementation produces we have to come up with vis and ar that satisfy 
the constraint in (6); this is usually done by constructing them from message delivery 
and timestamps in the run of the implementation producing H. Here we rely on previous 
correctness proofs of store implementations [10,11,9] and use the above declarative 
specification of the store semantics without fixing the store implementation. 

Causal consistency. The axioms CausalVis and CausalAr in Definition 5 en¬ 
sure that visibility and arbitration respect causality between operations. CausalVis 
guarantees that an event sees all events on the same object that causally affect it, i.e., 
those preceding it in a chain of session order and visibility edges (ignore the use of 
factoring over ~ for now). Thus, CausalVis disallows the execution in Figure 1(a). 
CausalAr similarly requires that arbitration be consistent with session order on all 
objects (recall that X.vis C X.ar). Eventual formalises the liveness property that 
every replica eventually sees every update: it ensures that an event cannot be invisible 
to infinitely many other events on the same object. 

Transactions. The use of factoring over the ~ relation in CausalVis formalises 
the guarantee provided by causally consistent transactions that we noted in §1: updates 
done by a transaction get delivered to replicas together. According to CausalVis, a 
causal dependency established between two actions of different transactions results in 
a dependency also being established between any other actions in the two transactions. 
Thus, CausalVis disallows the execution in Figure 1(c), where the dashed rectangles 
group events into transactions. The axioms allow the execution in Figure 1(b) even 
when the operations by the same session are done within a transaction—an outcome 
that would not be allowed with serialisable transactions. 

4 Coarse-grained language semantics 

We now describe our main contribution—a coarse-grained denotational semantics of 
programs in the language of §2 that enables modular reasoning. We establish a corre¬ 
spondence between this semantics and the reference fine-grained semantics in §6. 



Fig. 4. Key clauses of the session-local semantics of commands. Here FHist and I Hist are respec¬ 
tively sets of histories with finite and infinite event sets; a[v h* a] denotes the function that has 
the same value as a everywhere except v, where it has the value o; and [] is a nowhere-defined 
function. We assume a standard semantics of expressions [G] : LState(H) — > Val. 

(A | S b C) : (dom(Zl) -h„j Obj) x LState(H) ->• P((FHist x LState(H)) U I Hist) 

(u = G)(obj,a) = {(H emp ,a[v m- [G]a]) | H emp = (0, [],0,0)} 

{v = x.o(G))(obj,cr) = {(H e ,a[v ^ a]) | e € Event A a « Val 

A H e = ({e},[e^ ( O 6y(®),o([G]cr),a)],0,{(e,e)})} 
(atomic {C})(obj, a) = {((£?, label, so, E x E),a') | ({E, label, so, ~), o') g {C){obj,o)} 


4.1 Session-local semantics of commands 

The semantics of the replicated store defined by (6) in §3 describes the store behaviour 
under any client and thus produces histories with all possible sets of client operations. 
However, a particular command C in the language of §2 generates only histories with 
certain sequences of operations. Thus, our first step is to define a session-local seman¬ 
tics that, for each (sequential) command C, gives the set of histories that C can possibly 
generate. This semantics takes into account only the structure of the command C and 
operations on local variables; the return values of operations executed on objects in the 
store are chosen arbitrarily. Later (§4.3), we intersect the set of histories produced by 
the session-local semantics with (6) to take the store semantics into account. 

To track the values of local variables £ in the session-local semantics of a command 
A \ £\- C (Figure 2), we use local states o g LState(H) = £ —> Val. The semantics 
interprets commands by the function {A \ £ h C) in Figure 4. Its first parameter obj 
determines the identities of objects bound to object variables in A. Given an initial local 
state a as the other parameter, (A \ £ b C) returns the set of histories produced by 
C when run from o, together with final local states when applicable. The semantics is 
mostly standard and therefore we give only key clauses; see §A for the remaining ones. 
Recall that, to simplify our formalism, we require every transaction to terminate (§2). 
To formalise this assumption, the clause for atomic filters out infinite histories. 

4.2 Composite data type semantics 

The distinguishing feature of our coarse-grained semantics is its support for granularity 
abstraction: the denotation of a composite data type abstracts from its internal structure. 
Technically, this means that composite data types are interpreted in terms of replicated 
data type specifications, which we originally used for describing the meaning of prim¬ 
itive data types (§3.1). Thus, type variable environments T and data types T h T : O 
(Figure 2) are interpreted over the following domains: 

[r] = dom(r) Spec; [P h T : O] = [r] ^ Spec. 

We use type to range over elements of [T]. Two cases in the definition of [fhT : O] 
are simple. We interpret a primitive data type B g PrimType as the corresponding 
data type specification Fb, which is provided as part of the store specification (§3.1): 



Fig. 5. (a) A context N of coarse-grained events for the social graph data type soc in Figure 3, 
with an event eo added to represent the operation N.p. Solid edges denote both visibility and arbi¬ 
tration (equal, since the data type does not use arbitration). The dashed edges show the additional 
edges in vis' and ar' introduced in Definition 7. (b) An execution X belonging to the concreti- 
sation of N. The objects Wf a , wn,, w ra , u rb correspond to the variables friends[a\, friends[b], 
requesters[a ], requesters[b] of type RWset. Solid edges denote both visibility and arbitration. 
We have omitted the session order inside transactions, the visibility and arbitration edges it in¬ 
duces and the transitive consequences of the edges shown. Dashed rectangles group events into 
transactions. The function (3 maps events in X to the horizontally aligned events in N. 



\E\type = Fb■ We define the denotation of a type variable a by looking it up in the 
environment type: [[ct] type = type (a). 

The remaining and most interesting case is the interpretation [P h D : O] of a 
composite data type 

D = let {xj = new in {o = atomic {C 0 }}oeo- (7) 

For type £ [P], the data type specification P \F h D : Oj type returns a value given 
a context consisting of coarse-grained events that represent composite operations on 
an object of type D (e.g., the one in Figure 5(a)). This achieves granularity abstraction, 
because, once a denotation of this form is computed, it can be used to determine the 
return value of a composite operation without knowing the operations on the constituent 
objects Xj that were done by the implementations C a of the composite operations in its 
context (e.g., the ones in Figure 3). We call events describing the operations on xj 
fine-grained. 

Informally, our approach to defining the denotation P of D is to determine the value 
that P has to return on a context N of coarse-grained events by “running” the imple¬ 
mentations C 0 of the composite operations invoked in N. This produces an execution 
X over fine-grained events that describes how C a acts on the constituent objects Xj —a 
concretisation of N. The execution X has to be causally consistent and satisfy the data 
type specifications for the objects x 3 . We then define F(N) to be the return value that 
the implementation of the composite operation N.p gives in X. However, concretis¬ 
ing N into X is easier said than done: while the history part of X is determined by 
the session-local semantics of the implementations C a (§4.1), determining the visibility 
and arbitration orders so that the resulting denotation be sound (in the sense described 
in §6) is nontrivial and represents our main insight. 



To define the denotation of (7) formally, we first gather all histories that an imple¬ 
mentation C a of a composite operation can produce in the session-local semantics (•) 
into a summary: given an applied composite operation and a return value, a summary 
defines the set of histories that its implementation produces when returning the value. 

Definition 6 A summary p is a partial map p : AOp x Val —*■ 'P(FHist) such that 
for every (p, a) £ dom(p), p(p, a) is closed under the renaming of events, and for every 
H £ p(p, a), H.so is a total order on H.E and H.~ = H.E x H.E. 

For a family of commands {A | '(.’in, t’ ou t F C 0 } 0 eO and obj : dom(Z\) —H n j Obj, 
we define the corresponding summary \{C Q } O ^o\(obj) : AOp x Val — 1 'P(FHist) as 
follows: for o' £ O and a,b £ Val, we let 

l{C 0 }oeoi(obj)(o'(a),b) = 

{H I (H, [u in (4- _,u out ^ b ]) e (atomic {C & })\obj^ a,v out ^ JLJJ}. 

For example, the method bodies C a in Figure 3 and an appropriate obj define the sum¬ 
mary p soc = [{ Co } o6 {request : accept....}] ( obj ). This maps the get operation in Fig¬ 
ure 5(a) to a set of histories including the one shown to the right of it in Figure 5(b). 

We now define the executions X that may result from “running” the implementa¬ 
tions of composite operations in a coarse-grained context N given by a summary p. 
The definition below pairs these executions X with the value c returned in them by the 
implementation of N.p, since this is what we are ultimately interested in. We first state 
the formal definition, and then explain it in detail. We write id for the identity relation. 

Definition 7 A pair (X,c) € Exec x Val is a concretisation of a context N with 
respect to a summary p : AOp x Val —*■ 'P(FHist) if for some event eo f N.E and 
function (i : X.E -y N.E l±l {eo} we have 


(V/ 6 (N.E). (X.H)\p- 1(f) € p(N .aop(/), _)) A ((X.H) 

eo ) e P( N -P> c)); (8) 

/3(X.so) C id; 

(9) 

/?(Xvis) - id C vis'; 

(10) 

0] '(vis') flsameobj(X) C X.vis; 

(ID 

/3(Xar) -id C ar', 

(12) 


where vis' = TV.vis U {(/, eo) | / G N.E} and ar' = N. ar U {(/, eo) | / G N.E}. 

We write y (N, p) for the set of all concretisations of N with respect to p. 

For example, the pair of the execution and the value in Figure 5(b) belongs to 
7 (N, p soc ) for N in Figure 5(a). When X concretises N with respect to p, the his¬ 
tory X.H is a result of expanding every composite operation in N into a history of its 
implementation according to p. The function j3 maps every event in X.E to the event 
from N it came from, with an event eo added to N.E to represent the operation N.p: 
this is formalised by (8). The condition (9) further requires that the implementation 
of every composite operation be executed in a dedicated session. As it happens, it is 
enough to consider concretisations of this form to define the denotation. 



The conditions (10)—(12) represent the main insight of our definition of the denota¬ 
tion: they tell us how to select the visibility and arbitration orders in X given those in 
N. They are best understood by appealing to the intuition about how an implementa¬ 
tion of the store operates. Recall that, from this perspective, visibility captures message 
delivery: an event is visible to another event if and only if the information about the 
former has been delivered to the replica of the latter (§3.1). Also, in implementations 
of causally consistent transactions, updates done by a transaction are delivered to every 
replica together (§1). Since composite operations execute inside transactions, the visi¬ 
bility order in N can thus be intuitively thought of as specifying the delivery of groups 
of updates made by them: we have an edge e! > f between coarse-grained events 
e' and f in N (e.g., request and accept in Figure 5(a)) if and only if the updates 
performed by the transaction denoted by e' have been delivered to the replica of /'. 
Now consider fine-grained events e, / € X.E on the same constituent object describ¬ 
ing updates made inside the transactions of e! and /', so that /3(e) = e! and /3(/) = f 
(e.g., w ra .add(6) and aj ra .contains(6) in Figure 5(b)). Then we can have e ^~ v - s > / if 
and only if e' —> /'. This is formalised by (10) and (11). 

To explain (12), recall that arbitration captures the order of timestamps assigned 
to events by the store implementation. Also, in implementations the timestamps of all 
updates done by a transaction are contiguous in this order. Thus, arbitration in N can 
be thought of as specifying the timestamp order on the level of whole transactions 
corresponding to the composite operations in N. Then (12) states that the order of 
timestamps of fine-grained events in X is consistent with that over transactions these 
events come from. 

To define the denotation, we need to consider only those executions concretising N 
that are causally consistent and satisfy data type specifications. Hence, for F : Obj — k 
Spec we let 

1 {N,p,F) = {(X,c)ey(N,p) | XKcF}. 

For example, the execution in Figure 5(b) belongs to 7 (3V, p soc , F) for N in Figure 5(a) 
and F = (Aw. F RWset ). As the following theorem shows, the constraints (8)-(12) are 
so tight that the set of concretisations defined in this way never contains two different 
return values; this holds even if we allow choosing object identities differently. 
Theorem 8 Given a family {A | u in , u out F C a } oe o> we have: 

VN.Vobji, obj 2 € [dom(Zl) —Obj]. 

VFi € [range(o&) 1 ) Spec].VF 2 e [range(o&j 2 ) -A Spec]. 

(Vx e dom(Z\).Fi(o&) 1 (a;)) =F 2(obj 2 (x))) => 

V(X 2 ,c 2 ) 6 'y(N,l{C o } oeO }(0bj 2 ),W2).c 1 = c 2 . 

This allows us to define the denotation of (7) according to the outline we gave before. 
Definition 9 For (7) we let [.T I- D] type = F, where F : Ctxt — k Val is defined as 
follows: for N e Ctxt and c € Val, if 

3obj e [{xj | j = l..m} —>- in j Obj].3F i| [range(o&j) -4 Spec]. 

(Vj = l..m.F(obj(xj)) = ITjjtype) A (_,c) e 7 (N, [{C' 0 } oe o](o&j),F), 



Fig.6. Semantics of P \ A h P. Here H t±) H' = ( H.E a H'.E, Tif.label a H'. label, H. so U 
H'. so, H.~ U P'.~); undefined if so is H.E a H'.E. 

ir I A h P} : [PJ n o 6je[dom(/i)->. inj obj](( ran ge( 0 ^i) ^ Spec) P(Hist)) 

[let a = T in Pj(type, obj, F) = {P}(type[a i-t \T\type\, obj, F) 

[let x = newT in P}(type, obj, F) = \J{iPj(type, obj[ x n- w],F[w \T\type\) \ 

w 0 range(o&))} 

[Ct I... || C n j(type, obj, F) = HistCC(F) n { |+J” =1 Hj \ Mj = l..n. 
_ (Hj,-) € (Cj)(obj, []) V Hj £ (C d )(obj, [])} 


then F(N) = c; otherwise F(N) is undefined. 

The existence and uniqueness of F in the definition follow from Theorem 8. It is easy 
to check that F defined above satisfies all the properties required in Definition 2 and, 
hence, F £ Spec. According to the above definition, the denotation of the data type in 
Figure 3 has to give ({6}, 0) on the context in Figure 5(a). 

4.3 Program semantics 

Having defined the denotations of composite data types, we give the semantics to a 
program in the language of §2 by instantiating (6) with an F computed from these de¬ 
notations and by intersecting the result with the set of histories that can be produced 
by the program according to the session-local semantics of its sessions (§4.1). A pro¬ 
gram F | A h P is interpreted with respect to environments type, obj and F, which 
give the semantics of data type variables in F, the identities of objects in A and the 
specifications associated with these objects (Figure 6). A data type variable declaration 
extends the type environment with the specification of the data type computed from its 
declaration as described in §4.2. An object variable declaration extends obj with a fresh 
object and F with the specification corresponding to its type. A client is interpreted by 
combining all histories its sessions produce in the session-local semantics with respect 
to obj and intersecting the result with (6). Note that we originally defined the store se¬ 
mantics (6) under the assumption that all replicated data types are primitive. Here we 
are able to reuse the definition because our denotations of composite data types have 
the same form as those of primitive ones. 

Using the semantics. Our denotational semantics enables modular reasoning about 
programs with composite replicated data types. Namely, it allows us to check if a pro¬ 
gram P can produce a given history H by: (i) computing the denotations F of the 
composite data types used in P; and (ii) checking if the client of P can produce H 
assuming it uses primitive data types with the specifications F. Due to the granularity 
abstraction in our denotation, it represents every invocation of a composite operation by 
a single event and thereby abstracts from its internal structure. In particular, different 
composite data type implementations can have the same denotation describing the data 
type behaviour. As a consequence, in (ii) we can pretend that composite data types are 
primitive and thus do not have to reason about the behaviour of their implementations 




and the client together. For example, we can determine how a program using the so¬ 
cial graph data type behaves in the situation shown in Figure 5(a) using the result the 
data type denotation gives on this context, without considering how its implementation 
behaves (cf. Figure 5(b)). We get the same benefits when reasoning about a complex 
composite data type D constructed from simpler composite data types Tj as in (7): we 
can first compute the denotations of Tj and then use the results in reasoning about D. 

In practice, we do not compute the denotation of a composite data type D using 
Definition 9 directly. Instead, we typically invent a specification F that describes the 
desired behaviour of D , and then prove that F is equal to the denotation of D, i.e., that 
D is correct with respect to F. Definition 9 and, in particular, constraints (8)-(12), give 
a proof method for establishing this. The next section illustrates this on an example. 

5 Example: social graph 

We have applied the composite data type denotation in §4 to specify and prove the 
correctness of three composite data types: (i) the social graph data type in Figure 3; (ii) 
a shopping cart data type implemented using an add-wins set, which resolves conflicts 
between concurrent changes to the quantity of the same product; (iii) a data type that 
uses transactions to simultaneously update several objects that resolve conflicts using 
the last-writer-wins policy (cf. LWWset from §3.1). The latter example uses arbitration 
in a nontrivial way. Due to space constraints, we focus here on the social graph data 
type and defer the others to §E. 

Below we give a specification F soc to the social graph data type, which we have 
proved to be the denotation of its implementation D soc in Figure 3. The proof is done 
by considering an arbitrary context N and its concretisation (X, c) according to Def¬ 
inition 7 and showing that F soc (N) = c. The constraints (8)-(12) make the required 
reasoning mostly mechanical and therefore we defer the easy proof to §E and only il¬ 
lustrate the correspondence between D soc and F soc on examples. 

The function F soc is defined recursively using the following operation that selects 
a subcontext of a given event in a context, analogously to the ctxt operation on execu¬ 
tions (4) from §3.2. For a partial context M and an event e G M.E, we let 

ctxt (M, e) = (M.aop(e), E, (M.aop)!#, (M.v\s)\e, (M.ar)| B ), 
where E = (M.vis) -1 (e). Then 
-F S oc (get (a), M) = 

({6 | Be G (M.E). (M. aop(e) = accept((6, a) \ (a, b ))) A F soc (ctxt(M, e)) A 
V/ € (M.E). (M.aop(/) G breakup((6, a) \ (a, b))) A F soc (ctxt(M, e)) 

=> / e}, 

{b | Be G (M.E). (M. aop(e) = request(6, a)) A F soc (ctxt(M, e)) A 

V/ G (M.E). (M.aop(f) G (accept | reject)((6, a) | (a, b))) A F soc (ctxt(M, e)) 

=> / -^> e}); 

F soc (accept(6, a), M) = (b G snd(F soc (get(a), M))). 



The results of request, reject and breakup are defined similarly to accept. For 
brevity, we use the notation ( G\ \ G2) above to denote the set arising from picking 
either G\ or Gi as the subexpression of the expression where it occurs. Even though the 
definition looks complicated, its conceptual idea is simple and has a temporal flavour. 
Our definition takes into account that: after breaking up, users can become friends again; 
and sometimes data type operations are unsuccessful, in which case they return false. 
According to the two components of F soc (get(a), M ): 

1. a’s friends are the accounts b with a successful accept operation between a and 
b such that any successful breakup between them was in its past, as formalised 
by visibility. We determine whether an operation was successful by calling F soc 
recursively on its subcontext. 

2. a’s requesters are the accounts b with a successful request (6, a) operation such 
that any successful accept or reject between a and b was in its past. 

This specifies the behaviour of the data type while abstracting from its implementation, 
thereby enabling modular reasoning about programs using it (§4.3). 

Our specification F soc can be used to analyse the behaviour of the implementation 
in Figure 3. By a simple unrolling of the definition of F soc , it is easy to check that the 
two sets returned by F soc (get(a), M) are disjoint and, hence, the invariant (2) in §2 
holds; (1) can be checked similarly. Also, since F soc returns ({ b }, 0) on the context in 
Figure 5(a), when the same friendship request is concurrently accepted and rejected, 
the accept wins. Different behaviour could also be reasonable; the decision ultimately 
depends on application requirements. 

We now illustrate the correspondence between D soc and F soc on examples and, on 
the way, show that our coarse-grained semantics lets one understand how the choice 
of conflict-resolution policies on constituent objects affects the policy of the composite 
data type. First, we argue that making requesters remove-wins in Figure 3 is crucial 
for preserving the integrity invariant (2) and satisfying F soc . Indeed, consider the sce¬ 
nario shown in Figure 7(a). Here two users managing the same account b concurrently 
issue friendship requests to a, which initially sees only one of them. If requesters were 
add-wins, the accept by a would affect only the request that it sees. The remaining 
request would eventually propagate to all replicas in the system, and the calls to get in 
the implementation would thus return b as being both a friend and a requester of a’s, 
violating (2). The remove-wins policy of requesters ensures that, when a user accepts 
or rejects a request, this also removes all identical requests issued concurrently. 

If we made friends add-wins, this would make the data type behave differently, 
but sensibly, as illustrated in Figure 7(b). Here we again have two concurrently issued 
requests from b to a. The account a may also be managed by multiple users, which 
concurrently accept the requests they happen to see. One of the users then immedi¬ 
ately breaks up with a. Since friends are remove-wins, this cancels the addition of b 
to friends[a\ (i.e., Wf a ) resulting from the concurrent accept by the other user; thus, b 
ends up not being a’s friend, as prescribed by F soc . Making friends add-wins would 
result in the reverse outcome, and F soc would have to change accordingly. Thus, the 
conflict-resolution policy on friends determines the way conflicts between accept and 
breakup are resolved. 



Fig. 7. (Left) Coarse-grained contexts of the social graph data type together with the result that 
Fsoc gives on them. (Right) Relevant events of the fine-grained executions of the implementation 
in Figure 3 resulting from concretising the contexts according to Definition 7. We use the same 
conventions as in Figure 5. 
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Finally, if users a and b issue friendship requests to each other concurrently, a de¬ 
cision such as an accept taken on one of them will also affect the other, as illustrated 
in Figure 7(c). To handle this situation without violating (2), accept removes not only 
the request it is resolving, but also the symmetric one. 

6 Fine-grained language semantics, soundness and completeness 

To justify that the coarse-grained semantics from §4 is sensible, we relate it to a fine¬ 
grained semantics that follows the standard way of defining language semantics on 
weak consistency models [10,6]. Unlike the coarse-grained semantics, the fine-grained 
one is defined non-compositionally: it considers only certain complete programs and 
defines the denotation of a program as a whole, without separately defining denotations 
of composite data types in it. This denotation is computed using histories that record 
all operations on all primitive objects comprising the composite data types in the pro¬ 
gram; hence, the name fine-grained. The semantics includes those histories that can be 
produced by the the program in the session-local semantics (§4.1) and are allowed by 
the semantics of the store managing the primitive objects the program uses (§3). 

We state the correspondence between the coarse-grained and fine-grained seman¬ 
tics as an equivalence of the extemally-observable behaviour of a program in the two 
semantics. Let us fix a variable x lo £ OVar and an object io £ Obj used to inter¬ 
pret x lo . A program P is complete if 0 | x- lo : {o; 0 } F P. The operation o lo on x- lo 





models a combined user input-output action, rather than an operation on the store, and 
the externally-observable behaviour of a complete program P is given by operations 
on x m it performs. Formally, for a history H let observ(JJ) be its projection to events 
on io: {e £ H \ H. obj(e) = io}. We lift observ to sets of histories pointwise. Then 
we define the set of externally-observable behaviours of a complete program P in the 
coarse-grained semantics of §4 as [P]cg = observ([P]([], [a;*, : io], [])). Note that our 
semantics does not restrict the values returned by o lo , thus accepting any input. 

To define the fine-grained semantics of a complete program P, we flatten P by in¬ 
lining composite data type definitions using a series of reductions —> on programs 
(defined shortly). Applying the reductions exhaustively yields programs with only ob¬ 
jects of primitive data types, which have the following normal form: 

P ::= Ci || ... || C n | let x = new B in P 

Given a complete program P, consider the unique P such that P —A P and 
P _. Then we define the denotation of P in the fine-grained semantics by the set 
of externally-observable behaviours that P produces when interacting with a causally 
consistent store managing the primitive objects it uses. To formalise this, we reuse the 
definition of the coarse-grained semantics and define the denotation of P in the fine¬ 
grained semantics as [P]fg = [P]cg- Since P contains only primitive data types, this 
does not use the composite data type denotation of §4.2. 

We now define the reduction —h Let Comm be the set of commands C in Fig¬ 
ure 2. We use an operator subst that takes a mapping S : OVar x Op —*■ Comm and a 
command Cora program P, and replaces invocations of object operations in C or P 
according to S. The key clauses defining subst are as follows: 

subst(S,v = x.o(G)) = if ((a;,o) ^ dom(S')) then ( v = x.o(G)) 

else (atomic {var v\. varu2- Vi = G; ( S(x, o)[vi/v m , U2/u out |); v = V2}) 
subst(S, let x = new T in P) = let x = new T in subst(S\^ x , P) 
subst(S, let a = T in P) = let a = T in subst(S, P) 
subst(S,Ci || ... || C n ) = subst(S,Gi) || ... || subst(S,C n ) 

Here vi, are fresh ordinary variables, and S\^ x denotes S with its domain restricted 
to (OVar \ {a;}) x Op. Applying subst to an assignment command does not change the 
command, and applying it to all others results in recursive applications of subst to their 
subexpressions. Then the relation —> is defined as follows: 

V ::= [—] | let x = new T in V | let a = T in V 
piet o = / in p; —► p[P[r/H 

P[let x = new (let {xj = new Tj} J= i.. m in {o = atomic { C 0 }} 0 eo ) in P] 

—> P[let {xj = new in subst({(x, o)\-^C a \ o £ 0},P)|, 

where Xj do not occur in P. The first reduction rule replaces data-type variables by their 
definitions, and the second defines the semantics of composite operations via inlining. 

Our central technical result is that the coarse-grained semantics of §4 is sound 
and complete with respect to the fine-grained semantics presented here: the sets of 
externally-observable behaviours of programs in the two semantics coincide. 



Theorem 10 For every complete program P we have [P]fg = [P]cg- 

We give a (highly nontrivial) proof in §D. The theorem allows us to reason about pro¬ 
grams using the coarse-grained semantics, which enables granularity abstraction and 
modular reasoning (§4.3). It also implies that our denotational semantics is adequate, 
i.e., can be used to prove the observational equivalence of two data type implementa¬ 
tions Di and D 2 : if [Di] = I-D2], then [C[£>i]]fg = [C[£>2]]fg for all contexts C of 
the form P[let a = [—] in P], Note that both soundness and completeness are needed 
to imply this property. 

7 Related work 

One of the classical questions of data abstraction is: how can we define the semantics 
of a data type implementation that abstracts away the implementation details, includ¬ 
ing a particular choice of data representation? Our results can be viewed as revisiting 
this question, which has so far been investigated in the context of sequential [14] and 
shared-memory concurrent [12,24] programs, in the emerging domain of eventually 
consistent distributed systems. Most of the work on data abstraction for concurrency 
has considered a strongly consistent setting [12,24], Thus, it typically aimed to achieve 
atomicity abstraction, which allows one to pretend that a composite command takes 
effect atomically throughout the system. Here we consider data abstraction in the more 
challenging setting of weak consistency and achieve a weaker and more subtle guar¬ 
antee of granularity abstraction: even though our coarse-grained semantics represents 
composite operations by single events, these events are still subject to anomalies of 
causal consistency, with different replicas being able to see the events at different times. 

We are aware of only a few previous data abstraction results for weak consis¬ 
tency [15,8,5]. The most closely related is the one for the C/C++ memory model [6] 
by Batty et al. [5]. Like the consistency model we consider, the C/C++ model is de¬ 
fined axiomatically, which leads to some similarities in the general approach followed 
in [5] and in this paper. However, other features of the settings considered are dif¬ 
ferent. First, we consider arbitrary replicated data types, whereas, as any model of a 
shared-memory language, the C/C++ one considers only registers with the last-writer- 
wins conflict-resolution policy. Second, the artefacts related during abstraction in [5] 
and in this paper are different. Instead of composite replicated data types, [5] considers 
libraries, which encapsulate last-writer-wins registers and operations accessing them 
implemented by arbitrary code without using transactions. A specification of a library 
is then just another library, but with operations implemented using atomic blocks remi¬ 
niscent of our transactions. Hence, a single invocation of an operation of a specification 
library is still represented by multiple events and therefore [5] does not support granu¬ 
larity abstraction to the extent achieved here. Our work can roughly be viewed as start¬ 
ing where [5] left off, with composite constructions whose operations are implemented 
using transactions, and specifying their behaviour more declaratively with replicated 
data type specifications over contexts of coarse-grained events. It is thus possible that 
our approach can be adapted to give more declarative specifications to C/C++ libraries. 

Researchers and developers have often implemented complex objects with domain- 
specific conflict resolution policies inside replicated stores [21], which requires dealing 



with low-level details, such as message exchange between replicas. Our results show 
that, using causally consistent transactions, such complex domain-specific objects can 
often be implemented as composite replicated data types, using a high-level program¬ 
ming model to compose replicated objects and their conflict-resolution policies. Fur¬ 
thermore, due to the granularity abstraction we established, the resulting objects can be 
viewed as no different from those implemented inside the store. 

We specify composite replicated data types using the formalism proposed for prim¬ 
itive replicated data types by Burckhardt et al. [10]. Thus, the novelty of our results lies 
not in the specification formalism, but in achieving granularity abstraction that lets us 
consider a composite data type as primitive and thereby specify it in this way. Burck¬ 
hardt et al. also proposed a method for proving the correctness of data type implemen¬ 
tations. This method considers only primitive data types implemented inside the store 
in a low-level way (e.g., using message exchanges), whereas we consider composite 
data types implemented using transactions in a higher-level model. Thus, the technical 
challenges addressed by the two methods are different. 

Partial orders, such as event structures [19] and Mazurkiewicz traces [20], have been 
used to define semantics of concurrent or distributed programs by explicitly expressing 
the dependency relationships among events such programs generate. Our results extend 
this line of semantics research by considering new kinds of relations among events, 
describing computations of eventually consistent replicated stores, and studying how 
consistency axioms on these relations interact with the granularity abstraction for com¬ 
posite replicated data types. 


8 Conclusion 


In this paper we have proposed the concept of composite replicated data types, which 
formalises a common way of organising applications on top of eventually consistent 
stores. We have also presented a coarse-grained denotational semantics for these data 
types that supports granularity abstraction: the semantics allows us to abstract from the 
internals of a composite data type implementation and pretend that it represents a single 
monolithic object, which simplifies reasoning about client programs. Using a nontrivial 
example, we have illustrated how the denotation of a data type in our semantics specifies 
its behaviour in tricky situations and thereby lets one understand the consequences of 
different design decisions in its implementation. Finally, we have shown our semantics 
is sound and complete with respect to a standard non-compositional semantics. 

As we explained in §1, developing correct programs on top of eventually consis¬ 
tent stores is a challenging yet unavoidable task. Our results mark the first step towards 
providing developers with methods and tools for specifying and verifying programs in 
this new programming environment and expanding the rich theories of programming 
languages, such as data abstraction, to this environment. Even though our results were 
developed for a particular popular variant of eventual consistency—causally consistent 
transactions—we hope that in the future the results can be generalised to other consis¬ 
tency models with similar formalisations [9, 3]. 



References 


1. Microsoft TouchDevelop. https://www.touchdevelop.com/. 

2. D. Abadi. Consistency tradeoffs in modern distributed database system design: CAP is only 
part of the story. IEEE Computer, 2012. 

3. P. Bailis, A. Davidson, A. Fekete, A. Ghodsi, J. M. Hellerstein, and I. Stoica. Highly Avail¬ 
able Transactions: virtues and limitations. In VLDB, 2014. 

4. P. Bailis and A. Ghodsi. Eventual consistency today: Limitations, extensions, and beyond. 
CACM, 56(5), 2013. 

5. M. Batty, M. Dodds, and A. Gotsman. Library abstraction for C/C++ concurrency. In POPE, 
2013. 

6. M. Batty, S. Owens, S. Sarkar, P. Sewell, and T. Weber. Mathematizing C++ concurrency. In 
POPE, 2011. 

7. A. Bieniusa, M. Zawirski, N. M. Pregui§a, M. Shapiro, C. Baquero, V. Balegas, and 
S. Duarte. Semantics of eventually consistent replicated sets. In DISC, 2012. 

8. S. Burckhardt, A. Gotsman, M. Musuvathi, and H. Yang. Concurrent library correctness on 
the TSO memory model. In ESOP, 2012. 

9. S. Burckhardt, A. Gotsman, and H. Yang. Understanding eventual consistency. Technical 
Report MSR-TR-2013-39, Microsoft, 2013. 

10. S. Burckhardt, A. Gotsman, H. Yang, and M. Zawirski. Replicated data types: specification, 
verification, optimality. In POPE, 2014. 

11. S. Burckhardt, D. Leijen, M. Fahndrich, and M. Sagiv. Eventually consistent transactions. 
In ESOP, 2012. 

12. I. Filipovic, P. W. O’Heam, N. Rinetzky, and H. Yang. Abstraction for concurrent objects. 
Theor. Comput. Sci., 411(51-52), 2010. 

13. S. Gilbert and N. Lynch. Brewer’s conjecture and the feasibility of consistent, available, 
partition-tolerant web services. SIGACT News, 33(2), 2002. 

14. C. A. R. Hoare. Proof of correctness of data representations. Acta Inf., 1, 1972. 

15. R. Jagadeesan, G. Petri, C. Pitcher, and J. Riely. Quarantining weakness - compositional 
reasoning under relaxed memory models (extended abstract). In ESOP, 2013. 

16. C. Li, D. Porto, A. Clement, R. Rodrigues, N. Preguifa, and J. Gehrke. Making geo- 
replicated systems fast if possible, consistent when necessary. In OSDI, 2012. 

17. W. Lloyd, M. I. Freedman, M. Kaminsky, and D. G. Andersen. Don’t settle for eventual: 
scalable causal consistency for wide-area storage with COPS. In SOSP, 2011. 

18. W. Lloyd, M. I. Freedman, M. Kaminsky, and D. G. Andersen. Stronger semantics for low- 
latency geo-replicated storage. In NSDI, 2013. 

19. M. Nielsen, G. D. Plotkin, and G. Winskel. Petri nets, event structures and domains. In 
Semantics of Concurrent Computation, 1979. 

20. M. Nielsen, V. Sassone, and G. Winskel. Relationships between models of concurrency. In 
REX School/Symposium, 1993. 

21. M. Shapiro, N. Preguifa, C. Baquero, and M. Zawirski. A comprehensive study of Conver¬ 
gent and Commutative Replicated Data Types. Technical Report 7506, INRIA, 2011. 

22. M. Shapiro, N. M. Preguifa, C. Baquero, and M. Zawirski. Conflict-free replicated data 
types. In SSS, 2011. 

23. Y. Sovran, R. Power, M. K. Aguilera, and J. Li. Transactional storage for geo-replicated 
systems. In SOSP, 2011. 

24. A. Turon, D. Dreyer, and L. Birkedal. Unifying refinement and hoare-style reasoning in a 
logic for higher-order concurrency. In ICFP, 2013. 

25. M. Zawirski, A. Bieniusa, V. Balegas, S. Duarte, C. Baquero, M. Shapiro, and N. Preguuja. 
SwiftCloud: Fault-tolerant geo-replication integrated all the way to the client machine. Tech¬ 
nical Report 8347, INRIA, 2013. 



A Additional clauses of the session-local semantics 


(var v. C)(obj, a) = (IHist n ( C)(obj , a[v _L])) U 

| dom(£) ) | (U.ct') € {C)(obj.o[v 


(if G then Ci else C 2 )(obj, a) = 


({C t )(obj,a), if I0I<7 
\(C 2 )(obj,cr), otherwise; 


M)h 


(Ci;C 2 ){obj,a) = seq((Ci) (obj,a), Xa '. (C 2 )(obj,a')); 


(while G do C)(obj,a) = (greatestFix K)(a), 


where 


K = A W. A o'. 


r{((0,[],0,0),a')} if[G]a' = 0; 
\seq((C)(obj, a'), W) otherwise; 


seq (U,W) = 

{((£1 a E 2 , label! a label 2 ,soi U so 2 U (Ei x E 2 ),~ 1 U ~ 2 ),cr 2 ) | 

((Ei, labeli,soi,~i),cri) e U A ((E 2 , label 2 ,so 2 , ~ 2 ),cr 2 ) € W{cr\)} U 
{(Ei a E 2 , labeli a label 2 , soi U so 2 U (Ei x E 2 ), ~i U ~ 2 ) | 

((Ei, labeli, soi,~i),cri) € U A (E 2 , label 2 , so 2 , ~ 2 ) € W(ai)} U 
(IHistnE). 


Note that in the clause for local-variable declarations we assume an appropriate alpha¬ 
renaming of bound variables. 


B Characterisation of 7 (N, p, F) in terms of abstraction 

In the rest of the appendix, we use an alternative, equivalent characterisation of 
7(iV, p, F) given in the main text. Our characterisation is based on the notion of abstrac¬ 
tion. This characterisation will help us to manage the complexity of reasoning involved 
in the proofs of the theorems. 

Definition 11 An abstraction from a history H to a tuple ( N, eo, c) of a context N, 
an event eo ^ N.E and a value c e Val is a pair iff p) of a function (i : H.E —> 
N.E l±l {eo} and an summary p : AOp x Val —*■ 'P(FHist) such that 

(V/ e (N.E). € p(iV.aop(/), _)) A 

(H\p- Heo ) e p{N.p,c)) A /3(H. so) C id A /3(ff.~) C id. 

We write (0. p) : H —> (TV, eo, c) to mean that (0. p) is an abstraction of H into 
(N, e 0 , c). 



Definition 12 An abstraction from an execution X to (N. eg, c) is an abstraction 
(/?, p): X.H —> (X, e 0 , c) such that 

^(X.vis) - id C vis'; 

/3 _1 (vis') nsameobj(X) C X.vis; 

/3(X.ar) - id C ar', 


where 

vis' = #.visU{(/,e 0 ) | / € X.X}; 
ar' = X.ar U{(/,e 0 ) | / <F X./v}. 

We write (/3, p) : X — » (X, eo,c) to mean that (/3,p) is an abstraction of X into 
(N, e 0 , c). 

It is immediate from our definition that 

7 (X, p) = {(X, c) | 3e 0 £ (N.E). 3/3. (0, p) : X (X, e 0 , c)}. 

From this observation follows the following lemma: 

Lemma 1. 

7 (X,p,F) = {(X, c) | 3e 0 0 (X.X). 3/3.(/3,p) : X —y. (X, e 0 , c) A X |= cc F}. 

C Proof of Theorem 8 

In the following we use X.op(e) and H. arg(e) to denote the components of X.aop(e). 

We define the notions of morphisms between histories and executions, which gen¬ 
eralise the abstraction from histories or executions to contexts in Definitions 11 and 12. 
For u> £ Obj we let 


Hist(w) = {H £ Hist | H.ob\(H.E) = {te}}; 

Exec(u;) = {X e Exec | X.H £ Hist(w)}. 

Definition 13 A morphism from a history H to another history H', such that H £ 
Hist and H' £ Hist {uf) for some ui, is a pair of a function (3 : H.E —t H' .E and a 
summary p : AOp x Val —=• 'P(FHist) such that 

(Ve e {H'.E). H\ p -x (e) £ p{H'. aop(e), X'.rval(e))) A 
P{H. so) - id = (// , .so)|p { „.„ ) A \ fi(H ' E) . 

We write {fi. p) : H —» H' to mean that (6, p) is a morphism from H to H'. 

Lemma 14 For every morphism (/3, p) : H —» H', we have that 

Ve,f£H.E.{e,f)£H.~ <f=> {0{e),0(f)) £ H'.~. 



Proof. Let (0, p) be a morphism from H to H'. Consider e, / G H.E. By the defi¬ 
nition of morphism, /3(iL~) = (// r .~) . Hence, 

(e,/)eF.~ =► (0(e), 0(f)) G 

Let us move on to the other imphcation. Assume that (/3(e), /3(/)) € Since 

0(H.~) = {H' there exist e!, f G H.E such that 

/3(e) = /3(e') A /3(/) = /3(/') A (e'/')€^. 

Let e" = /3(e') and /" = /3(f). Since (/3, p) is a morphism, 

e p( J ff , .aop(e"),^ , .rval(e")) A * p(H'.*op(f"), ff'.rval(/")). 

Recall that every history in the image of p uses the complete relation (i.e., a relation 
that relates all pairs of events) as its equivalence relation. Also, e, e! G (A/1,g-1 r e n\).E 
and/,/' G {H\ p - 1{r) ).E. Hence, 

(e,e')Gtf.~ A (/',/) Gff.~. 

Since (e', /') G i7.~, by the transitivity of H.~, we have that (e, /) G il.~, as desired. 

□ 

Definition 15 A morphism from an execution X G Exec to another execution X' G 
Exec(w) is a morphism (/3, p) : X.H —> X'.H such that 

/3(X.vis) — id C X'.vis A 0 '^-{X'.vis) fl sameobj(X) C X.vis 
A /3(X.ar) - id C X'.ar. 

We write (/3, p) : X —» X' to mean that (/3, p) is a morphism from X to X'. 

Definition 16 An operation context N can be embedded into an execution X at an 
event e f N.E, denoted ( N , e) c —> X, if and only if for some to G Obj, 

X.E = N.E l±l {e} A X.obj (X.E) = {w} A X.so = 0 A X.~ = id 
A X.vis = X.vis U {(/, e) | / G N.E} A X.ar = X.ar U {(/, e) | / G N.E}. 

Proposition 17 For all 0, p, X, X, e such that e N.E, a, 

(/3 ,p):X->(N,e,a) <f=> 

(aX'. (N, e) -4 X' A (/3, p) : X ->■ X' A a = X'.rval(e)). 

Hence, 7 from §4 can be equivalently defined as follows: 

7 (X, p, F) = {(X, a) | Be £ N.E. 30.3X'. (X, e) X' A (0, p) : X ->• X' 

Aa = X'.rval(e)AX (= cc F}. 


In the following we sometimes use this fact even without mentioning it explicitly. 



For H \, H-2 € Hist and it : Hi.E —> b y H 2 .E we let 


H x H 2 <=* 7r(//t .label) = F 2 .label A tf^.so) = F 2 .so A 7r(.ff 1 .~) = F 2 .~; 

i?i « F 2 «=> 3 tt.Fi //*. 

For X-|, X 2 e Exec and n : X\.E —» bi j X 2 .F we let: 

Xi fe* X 2 <^=> X x .H rj* X 2 .FA7r(Xi.vis) = X 2 .visA(7r(X 1 .ar)UX 2 .ar is acyclic); 

X\ « rva | X 2 <*=> Xi.E = X 2 .E A Fi.obj = f? 2 .obj A Fi.aop = F 2 .aop A 
Xi .so = X 2 .so A Xi.~ = X 2 .~ A Xi .vis = X 2 .vis A Xi.ar = X 2 .ar. 

We also let 

CExec = {X e Exec | {\X.E\ < oo) A 

3w e Obj. X.H e Hist(w) A X.so = 0 A X.~ = id}. 

A history H is sequential if H .so is total on H.E. We write SHist for the set of 
sequential histories. It is easy to see that all histories produced by the session-local 
semantics are sequential. For H £ SHist we write H(n) for the n-th event in H. so, 
undefined when there is not one. We also write H\ n for the projection of H to the first 
n events in H. so; if n > \H.E\, we let H\ n = H. 

Proposition 18 (Determinacy) For A \ E\- C we have: 

Vobj : dom(Z\) —» in j Obj.VFi,iT 2 £ Hist. Vcr,or,cr 2 £ LState(X). 
{H 1 ,<j 1 ),(H 2 ,o 2 )e(C)(obj,o)AH 1 ^H 2 =^ oi = o 2 

and 


Vobj : dom(zi) -f inj Obj.VFi,F 2 e Hist.Va e LState(X). Vn. 

(F 1; _),(F 2 ,_) e (C)(obj,a)AH 1 \ n w H 2 1„ A (1 < n < \S t \, \H 2 \) 

(n+l< l-ffil ^ n+l< |F 2 |)A 

(n + l<|Fi| =► F 1 .obj(F 1 (n+l)) = F 2 .obj(F 2 (n + l)) 

A Fi.aopCF^n + 1)) = Fi.aop(F 2 (n + 1))). 

Theorem 19 Given a family of well-typed commands {A \ v m ,v out h C 0 } oe o, we 

'iobj £ [dom(Z\) —>-inj Obj]. VF £ [range(oiy) -> Spec]. 

VX], X 2 £ CExec. VX-,, X 2 e Exec. V/3-,, fa. 

(Pi, l{C 0 }oeoi(obj)) : X\ —i X'i A (fa, l{C 0 } oe0 i(obj)) ■ X 2 —y X 2 A 
X( « rva i X' 2 A Xi |= cc F A X 2 |=cc F => 

Xj = X^ A3tt : Xi.E ^ bij X 2 .E.X 1 **, X 2 A V/ € X 1 .E.fa(f) = fa(n(f)). 



Proof. Consider 


{Xj : Oj | j = 1 ..to} | Win, W ou t I - Co, O G O 
and 

obj G [{a^- | j = l..m} -hnj Obj]; F e [range(o6j) ->• Spec] 
and let p = l{C 0 } oe0 i(obj). 

We prove that the following holds for all Xj , X 2 G CExec such that Xj « rva i Xj 
by induction on \X[.E\ = \X 2 .E\: 

VX 1} X 2 G Exec.V/3 i,/3 2 . 

ifiup) : Xi Xj A (ft,p) :X 2 ^^AX! |= C C F A X 2 j= CC F => 

Xj = Xj A3 tt : ^ bij X 2 .£.X x X 2 A V/ G X, ,/v.;), (/) = 

The base case when |Xj.i?| = \X' 2 .E\ = 0 is trivial. 

Consider Xj , Xj G CExec, Xi, X 2 G Exec and (3 i, ft such that 

Xj « rva i X' A (fa,p) : X\ —> Xj A (ft, p) : X 2 ^ Xj A X x (= CC FAX 2 |= C c F. 

Let us choose an event egXj.fi that does not have successors in Xj .so U Xj .vis U 
Xj.ar; this is possible since Xj G CExec. Then e G X' 2 .E and it does not have succes¬ 
sors in Xj.so U Xj.vis U Xj.ar. Let 

Y 1 = X l\x[.E-{e} A Kj = Xj \x' 2 . E -{e}\ 
then Y{ w rva , Y.j. Let 

n = ^.lx ; ./,' ;V l M A ^ = x 2 | X*.E-Ptm- 

It is easy to see that Yj and Y 2 still satisfy CausalVis and CausalAr. If (/, g) G 
X x .vis for some / G ^f 1 (e) and g G X 1 .E - / 0f 1 (e), then (e,ft (g)) G Xj.vis, 
contradicting the fact that e does not have successors in Xj .vis. Hence, such / and g do 
not exist, which implies that Y\ \= F. We similarly establish Y 2 |= F. 

Let 

Pi = Pl\ Xl .E-p-\e) A P'2 = P2\x 2 .E-P~\ey 

Is easy to check that 

(P[,p) : Y\ Y{ A (ft.p) : ft Yj. 

We have thus established all the premisses of the induction hypothesis for Y{ and 
Yj. Applying it, we get that Y{ = Yj and for some n : ft .E —g^ij Y 2 .E we have 
ft ft and V/ G Y(.E.3\{f) = ft( 7 r(/)). 

Let ( 0 , 0 ) = Xj.aop(e) = Xj.aop(e). Then 

((Xr-ff)[w in ^_,w out ^Xj.rval(e)]) G (atomic {C 0 })(obj, [v- m ^a, % u #j| 
A 

{{X 2 .H) |^-i (e) , [v in i—>•_, Wout'-tXj.rvalje)]) G (atomic {C 0 })(obj, [w in i-4o,Wout'-t-L]) 

(13) 



and, in particular, (X 2 .H)\ / 3 -i^ G SHist. 

For n > 0 let 

E?=(((X 1 .H)\ f)r i m )\ n lE A ES = (((X 2 .H)\ m%) )\ n ).E- 

X” = Xi\ Yi .e\jei{ A X% = X 2 \y 2 .eue "• 

We prove by induction on n that 

3tt' : E ? ^ bij E$. X? *w * 2 " A (V/ € X?.E. &(/) = /3 2 ((tt W tt , )(/))). 

The base case of n = 0 follows from Y) rj n Y 2 and V/ G Y{.E. d\ (/) = P 2 (n(f)). 

Assume that for some n > 0 and 7r' : E\ l —>bij E 2 we have A” A.] 1 and 

V/ G X?.E. &(/) = /3 2 ((tt W tt')(/)). Then 

((X 1 Jf)| /5 - 1(e) )| n ay ((A 2 .H)| /3 - 1(e) )|„. (14) 

If n > |/3f 1 (e) |, then the above implies 

((^•%‘ W ) i{X 2 .H) |^-i (e) )| l/3i - 1(e)| . 

Due to (13), by Proposition 18 we get \fi 2 1 {e)\ = /3f 1 (e) (so that X" = X" +l and 
X 2 = X^ +1 ) and 

((X 1 . J ff)| j0 - 1(e) )U +1 = ((Xl^I^^) 

*V ((X 2 .ff)|^ H ^> = f(X 2 .i?)|^-1 (e) )|n+11 

as required. We obtain the same when n > \fi 2 l (e) | in a similar way. 

Now assume that n < |/3f 1 (e)| and n < |/3 2 ~ 1 (e)| and let 

e 1 = ((X 1 .H)\ 0 - l{e) )(n+l) A e 2 = ((X 2 .ff)| j8 - 1(e) )(n+ 1). 

Due to (13) and (14), by Proposition 18 we get 

Xx.obj(ei) = X 2 .obj(e 2 ) A Xi.aop^i) = X 2 .aop(e 2 ). (15) 

Let t t" = 7r'[ei : e 2 ]; then X? +1 .H X^ +1 .H and 

/3i(ei) = e = /3 2 {e 2 ) = /3 2 ((tt l±l 7r")(ei)), 


s required. 

We now show (n l±l 7r")(X" +1 .vis) = X 2 +1 .vis. Consider (/, g) G X" +1 .vis: 
- If / ^ ei and g ^ e lt then f,g G Xf .E. Then Xf X£ implies 

•((7rW7rO(/),(7rW7r')(<7))eX 2 ”.vis 

((7rW7r")(/),(7rW7r")(ff))eX” +1 .vis. 


and, hence, 



- We have previously shown that there are no / e l (e) and g e X\.E — (e) 

such that (/, g) e X\ .vis. Hence, we are left with the case when g = e\, which we 
consider in the following. 

- If / e E" , then (/, ei) € X\ .so. But then X” £|^r< X" implies 

((7rl±l7r , )(/),e 2 ) e X 2 .so 
and, by CausalVis for X 2 , we have 

((ttWtt') (/),e 2 )eX 2 .vis. 


This implies 

((tt W tt")(/), (tt t±) 7r")(ei)) € X 2 .vis. 

- Assume now that / e Xi.£ — /3f 1 (e). Then (/) ^ /3i(ei) = e and (0i,p) : 
A-| —» X-J implies 

(&(/),e)eXj.vis. 

Since X-J « rva | X£, we also have 

(A(/),e) GX'.vis. 

Since e = B 2 {e 2 ) and (/) = W 7 r')(/)), this is equivalent to 

(/3 2 ((tt W7r , )(/)),^ 2 (e 2 )) e X'.vis. (16) 

We have Xi.obj(/) = Xi.obj(ei) and Xf X.” implies X 2 .obj((7r l±l 

7r')(/)) = Xi.obj(/). From this and (15) we get 

X 2 .obj((7rW7r , )(/)) = X 2 .obj(e 2 ). 

Given this and (16), from (/3 2 , p) : X 2 —f Xl 2 we get 
((tt t±) 7T / )(/), e 2 ) € X 2 .vis, 

which implies 

((7rW7r")(/),(7rW7r")(ei))eX” +1 .vis. 

We have thus shown that (n l±i 7r")(X" +1 .vis) = X 2 + i .vis. 

We now show that 

( 7 r l±l 7r")(X" +1 .ar) U X^.ar 

is acychc. Assume that there is a cycle in this relation. Since Xf X 2 , we know 

that 

( 7 r W 7T , )(X".ar) U XJ.ar 

is acyclic. Hence, the above cycle contains e 2 and an edge 

(e 2 , /) e (7T W 7r")(X" +1 .ar) U X^ +1 .ar 


for some /. Then 


(e 2 , /) 6 X^ +1 .ary %. (d ,g) € Xf^.ar. 



Using the choice of e\ and e 2 , similarly to how it was done previously, we can show 
that none of these cases is possible, which establishes the desired acyclicity guarantee. 

Similarly to how we previously showed that Yi |= F and Y 2 |= F, we can show 
X? +1 |= F and X? +1 \= F. Let 

Z x = (X™ + 1 .H, X" +1 .vis, (X" +1 .ar U (77 l±l 'k")~ 1 (X 2 +1 .ar)) + ) A 
Z 2 = (X£ +1 .iJ,X£ +1 .vis, (XJ +1 .arU (7rttl7r")(^r +1 .ar)) + ). 

From the above-established acyclicity guarantee, Z\ and Z 2 are executions. Since data 
type specifications preserve their value on arbitration extensions, we still have Z\ |= F 
and Z 2 |= F. Furthermore, from what we have shown so far and (15) it easily follows 
that ctxt(Zi, ei) « ctxt(Z 2 , e 2 ). Since data type specifications give the same values on 
isomorphic contexts, 

Xf+VrvaKei) = ^.rvaKei) = Z 2 .rval(e 2 ) = X 2 n+1 .rval(e 2 ). 

This finally establishes X\ l+[ X 2 l+I , completing the induction. 

Now choosing n such that n > |/3f 1 (e)| and n > \(i 2 l {e)\, we get X-[ l = 
Xi and X 2 = X 2 . Then the statement just proved gives us that for some 7r' : 
((X,.//)| #| , W ).K ^ bij we have Xi X 2 . As a conse¬ 

quence, 

lXx.H)\^ e) (X 2 .H)\^ {e) . 

Then by (13) and Proposition 18 we get A'j.rval(e) = X 2 .rval(e), as required. □ 

Proposition 20 Given a family of well-typed commands {A \ t’m, w ou t h C 0 } 0 eo, 
we have: 

MN.Mobj 1; obj 2 € [dom(Zl) —h n j Obj]. 

VFi e [range(o6j 1 ) -» Spec].VF 2 e [range(o6j 2 ) —»• Spec]. 

(Vx e dom(Zi).Fi(o6j 1 (x)) = F(o6j 2 (x))) => 

V(Xi,a) e 7 (N, [{C' 0 } oe0 ](i>6ii),F 1 ).3X 2 . (X 2 ,a) S y(N, l{C 0 } oe0 i(obj 2 ),¥ 2 ). 

Proof of Theorem 8. Assume N, obj 1 , obj 2 , F b , F 2 , Xi , ai, X 2 , a 2 satisfying the 
conditions of the theorem. Since 

(X 1 ,a 1 )Gy(N,l{C o } oeO i( 0 bj 1 ),¥ 1 ), 
for some e\ £ N.E we have 

■3|i. (PuliCoUoMobjx)) : Xx (N,ex,ax)AXx |=cc Fi. 

By Proposition 20 there exists Y 2 € Exec such that 

(Y 2l a 2 ) ey(N, [{a} oe o](o6i 1 ),F 1 ), 


'pH $ N.E. (ft, l{C o }o&l(0bjx)) : Y 2 -A (N, e 2 , a 2 ) A Y 2 \= cc Wx. 



Then it is easy to see that 

Bfc.^UCoUoUobj,)) : Y 2 *+ (N, ei ,a 2 )AY 2 Kc?i- 
By Proposition 17, there exist X[, X 2 such that 

(Pi, l{C 0 }aeoi(obj)) : Xi -> X[ A (fa l{C 0 } oe0 i(obj)) : Y 2 -> X' 2 A 
(N, e\) ^ X[ A (N, e\) ^ X' 2 A oi = X(.rval(ei) A a 2 = X' 2 .r\ia\(e{). 

We can ensure that we have X 2 € CExec; then XJ « rva | X'. 2 . By Theorem 19 we 
get X\ = X! 2 , so that oi = a 2 , as required. □ 


D Proof of Theorem 10 

In this section we prove the following statement, which implies Theorem 10. 
Theorem 21 IfP —> P', then [P'Jcg = [PJcg- 

The case of the first reduction out of the two given in §6 is standard. We therefore only 
consider the case of the second, discharged by Theorem 42 in §D (the D direction, i.e., 
soundness) and Theorem 47 in §D.5 (the C direction, i.e., completeness). To prove the 
former result, we first need to reformulate the data type denotation from Definition 9, 
which is the subject of §D.3. 


D.l Properties of the factoring operation (—/~) 

We prove a few useful properties of the factoring operation (—/~), which will be used 
in the proofs of our main results later. Let E be a set of events and ~ an equivalence 
relation on E. 


Lemma 22 For all relations Ron E and events e, eo, /, /o € E, 

( e / / A e ~ e 0 /o ~ /) => e /. 


Proof. Let R, e, eo, /, /o be a relation and events satisfying the assumption of the 
lemma. If eo —A /o, by the definition of the factoring operation, 


e 


/• 


Otherwise, there exist ei, /i € E such that 

(eo / /o A eo ~ ei A- /i ~ /o). 


Since ~ is transitive, 

e ~ ei A /i ~ /. 
Furthermore, e / / and ei A /). Hence, 



as desired. 



Lemma 23 The factoring operation (—/~) is a monotone closure operator. That is, 
for all relations R, S on E, 

R c (RM A ((RHH = ( R/~) A (RCS => {R/~) C (S/~)). 

Proof. The first conjunct RC (i?/~) is an immediate consequence of the definition 
of factoring. For the second, by the same consequence again, it suffices to prove that 

{{RHH c (rm. 

For the sake of contradiction, suppose that ((iZ/~)/~) % (i?/~). Then, there exist 
e, e', /, /' such that 

e f,f A A (e,/)£ (#/-). 

The first two conjuncts imply e ^ > / by Lemma 22. This contradicts the third con¬ 
junct. 

It remains to show the monotonicity of the factoring operation. Assume that RC S. 
Pick e, / € E such that e R ^ > /. If e A- /, then 

A/. 

Otherwise, there exist eo,foCE such that 

e f A e ~ e 0 A- /o ~ /• 

Since i? C S', the above formula implies eo A- /o- Hence, by the formula again, we 
have that e ——> /. □ 

Lemma 24 The factoring operation preserves union: for all relations R, S on E, 

(R U S)/(~) = (-R/~) U (S/~). 

Proof. By the monotonicity of the factoring operation (Lemma 23), we have that 

(R/~) U (S/~) C(R\J S )/(~). 

Hence, it suffices to prove the other subset relationship. Pick e, / £ E such that 
e-> /. 

If e RuS > /, by the definition of factoring, 

e->/• 

Otherwise, there exist eo,foCE such that 

/ i- » RUS £ £ 

erf, f A e ~ e 0 - > f 0 ~ /. 



Then, eo —> fo or eo A fo . In the former case, we have 

(e, /) e (R/~) c (i?/~) U (S/~). 
Similarly, in the latter case, we have 

(e,f)e(SHC(R/~)u(Sn. 

Lemma 25 For all relations R on E, 

(RH+/H = ( RM + . 

This means that the transitive closure is well-defined over the 
tions. 


□ 


°f ~ -factored rela- 


Proof. It suffices to show that for all events e, eo, e \,..., e n , f with n > 0, 

(e / f A e ~ e 0 A e n ~ / A Vi e {0,..., n-1}. e* e . (L ) e > /. 

Let e, eo, ei,..., e n , / be the events satisfying the assumption of the above implication. 
Then, 

efje n . (17) 

This is because otherwise e ~ / by the transitivity of ~, but this would contradict 
the assumption that e / /. Furthermore, e ~ eo by assumption. Hence, there exists 
m e {0,..., n—1} such that 


e~e m A e/e m+ i. 


By Lemma 22, 

e -^4 e m+ i * (18) 

Furthermore, by a similar argument now applied to / and e m (instead of e and e„), we 
get k £ {m + 1. n} such that 

efc ~ / A e fc _i rf f. 

By Lemma 22 again, 

efc-i /. (19) 

If k — 1 = m, then e ~ e/ c _i. Since e f /, the relationship in (19) implies the desired 


because of Lemma 22. Assume now that k—lf^m. Then, k — 1 > m + 1. From (18) 
and (19), it follows that 


w~r 







This implies the desired e 




Finally, we show a few properties that describe interactions between factoring and 
a function on events. Let Eq, E\ be sets of events, and ~o, ~i equivalence relations on 
E f} and E-\, respectively. Also, consider a function /3 : Eq —» E\ such that 

Ve, / € Eq. e ~ 0 / <=► /3(e) ~i /?(/)- 
The following lemmas hold for these Eq, E\, ~o, ~i and /3. 

Lemma 26 For all relations Ro on Eq, and R \ on E%, if 

Rq/^o = Ro A = i?i A = Ri, 

then for all e.f £ Eq such that e fo /, 
qp(R 0 )/^ 1 )uR 1 y 


(m 


> w)) • 


Proof. First, we prove the right-to-left implication. Consider e,f £ Eq such that 


We will prove that 


/3(e) J 


> m- 


Note that from this follows the right-to-left implication. By the choice of e and /, 

Ro, t w 0(Ri)/~o, j, 
e —> f V e-> /. 

Since (3(Ro) C (/3(iio)/~i), the first disjunct above implies the desired (20). Now 
suppose that the second disjunct holds. Note that (/? o /3 _1 )(i?i) C /? ,. Hence, if 


we get 

/3(e) /3(/). 

This gives the desired relationship in (20). On the other hand, if for some e', f £ Eq, 


then 


/3(e) /3(e') 




a / A ef'o f, 


because /3 preserves ~ 
tionship imphes that 


i and reflects 

fe- 


f)~iPlf) A /3(e) /3(/), 

Since (/? o /3 _1 )(Ri) C R,, the above rela- 





Recall that Rifai = R \ by the assumption of the lemma. Hence, this relationship 
between /3(e) and /3(/) gives the desired (20). 

Next, we prove the left-to-right implication claimed in the lemma. Consider e, / £ 
Eq such that 


We have to show that 


( 21 ) 


Let R' 0 = /3(i?o)/~i- By our choice of e and /, there exist a sequence (eo, e \,..., e n ) 
in Ei with n > 1 such that 


/3(e) = eo A /3(/) = e n A VO < i < n. (e* -^4 e l+ \ V e* -^4 'e,+i). 

We will show (21) by induction on the number of times that the first disjunct involving 
R' 0 holds. 

The base case is that it never holds for any element in the sequence (eo,..., e„). In 
this case, we have 

/3(e) = e 0 e„ = /3(/). 

But R\ is transitive by assumption. Hence, /3(e) -^4 /3(/), which then gives the desired 
( 21 ). 

Now let us consider the inductive case. In this case, there exists 0 < j < n such 
that ej -^4 e,j + -\. Unpacking this, we get e ? - ^' R °^ 1 > e J+ i, which is equivalent to the 
following: 

e i+i ^ 

( e j ~i e j -^ e j+t A ((e^- = ft A e ' +1 = e j+ i) V fa fa e j+ i))). 

( 22 ) 

The first conjunct above implies that 

3e", e" +1 e E 0 . /3(e") = e' A /3(e" +1 ) = e' +1 A e" -^4 e" +1 . 

Let 

A: = min{i | e* ~i /3(e") A 0 < * < j} and 
l = max{i | /3(e'- +1 ) ~i Aj + 1 < i < n}. 

Because of Lemmas 23 and 24, 

(R^URt^fat) = mRo)/~i)/~imRi/~i) = (J3(Ro)/~i)URi = (H&UJSi). 


((k > 0 A e fc _! -^4 /3(e")) V (k = 0 A /3(e) /3(e"))) 

A ((( < n A .3(0",,) ^4 ei +1 ) V (J = n A /3(e" +1 ) /3(/))) 


Hence, 






Since /? reflects ~i, the above formula implies 


((/?(e) ————— 
A ((/3(e"+ 


» /3(e") A e 7^0 e") V (e 


e")) 


(it(>Ufll) + 


/3(/) A e" +1 / 0 /) V (e" +] 


o /))• 


By the induction hypothesis, the above formula implies that 


((e~ 


(( e "+1 


s") V (e ~ 0 e")) 

(it 0 U (^ -1 (iti)/~ 0 ))' 


/) V (e" +1 ~o /))• 


We do the case analysis depending on which disjunct holds in the two conjuncts above. 
1. Subcase e ~o e" and e" +1 ~o /: Since e" -5%. e" +1 and e 7% / by assumption, 


Since i?o is ~o-factored, this gives the desired (21). 

2. Subcase e ~o e" and e" +1 /o f‘ Then, 

e j+1 -> /• (23) 

We consider two cases depending on whether e 7^0 e" +1 . Suppose that e 7^0 e" +1 . 
Then, since e" -^4- e" +1 , 

«o/~o // 

e-k e i+1 . 

Since i?o is ~o-factored (i.e., Rq /~o = Ro), this and the relationship in (23) imply 
that 

e (floU(^- 1 (fli)/~o))+ : j 

Now suppose that e ~o e" +1 . Then, since e 7^0 / by assumption and (f?o,U. 
( ( 8 _1 (i?i)/~o)) + is ^(j-factored, the relationship in (23) implies that 

(it 0 U(/3 _1 (i? 1 )/~o)) + , 


3. Subcase e 7^0 e" and e" +1 ~o f : This subcase is symmetric to the previous one. 

4. Subcase e / 0 e" and /o /: Then, 


(floU(;3- 1 (it 1 )/~o)) + i 


(fl 0 u(r 1 (fi 1 )/- 0 ))+, 


, we get the desired 

(fl 0 U(/3- 1 (fi 1 )/~ 0 )) + > 



This concludes the proof of this lemma. 

Lemma 27 For all relations Ro on E 0 , and Ri on E\, if 


Ro/^o = Ro A -Ri/ , ~i = Ri A Ri = R\ 

A both R,\ and (Ro U (/3 _1 (R\)/ ~o)) are acyclic 
A /3(Ro fl ~o) — id C R 1 

then ((((3(Ro) — id)/~i) U i?i) is acyclic. 

Proof. Let R' 0 = (15 (Rq) — id)/~i. For the sake of contradiction, suppose that 
(R' 0 U i?i) is cyclic. Then, there exist 

eo,. ■., e„ £ Ei for some n > 1 


We prove that the existence of such a cycle leads to contradiction, using induction on 
the number of times that R' 0 is used in the cycle. 

The base case is that R' 0 is not used at all. In this case, the sequence (eo,..., e n ) 
demonstrates that Ri is cyclic. This contradicts our acyclicity assumption on R\. 

Let us move on to the inductive case. Suppose that R' 0 is used m > 0 times in the 
cycle (eo,..., e„). Then, there exists 0 < k <n such that 


R ' 0 

e-k —> e (fc+1)mod( „ +1) . 

By the definition of R' 0 , there exist e, / £ E 0 such that 

A e^f A 

((/3(e) = eh A /3(f) = e (fc+1)mod(n+1) ) V 

(e*, ~i /3(e) A /3(f) ~i e( fe+ i) mod( „ + i) A e k 'fi e(fc+i) mod („+i))). 


The second disjunct in the last conjunct implies that 


/3(e) H (3(f) 


Hence, regardless of whether the first or second disjunct holds in the last conjunct, we 
have that 

(13(f) (fl ° Ufll)+/ ^ 1 > /3(e)). (24) 

We do the case analysis on whether e ~o /. Suppose that e ~o /• Then, 

m " (a ° n ~- ) - iJ , f> U ). 


Thus, by the assumption that (3(Rq fl ~o) — id C R u 








This means that the cycle (eo,..., e n ) can be formed by using R' 0 in rri — 1 times as 
well. This lets us use the induction hypothesis and obtain contradiction. 

Suppose now that e fo /• Since ~o is symmetric, / 7^0 e - Using this fact, we start 
from (24) and reason as follows: 

w> ( '* ;u ' i ’ )V ~ , » m => im m) 

=* («/) 



The first implication holds because all of R' 0 , R\ and R' 0 U R\ are ~ 1 -factored (Lem¬ 
mas 23 and 24), and the set of such ~ 1 -factored relations is closed under the transitive 
closure operation (Lemma 25). The second implication unrolls the definition of R' 0 and 
uses the monotonicity of A R'. (R'/~ 1 U R \) + (Lemma 23). The last implication holds 
because of Lemma 26. Since 

e-%f, 

we have that 

(«oU(/3- 1 ( J R 1 )/~ 0 )) + v 
e- > e, 

which contradicts the acyclicity of (Ro U (,3 1 (/?i)/~o)) + - □ 

We call a relation R (not necessarily a strict partial order) prefix-finite if for every 
e, {/ | (/, e) € #+} is finite. 

Lemma 28 For all relations R,S on a set E, if R is prefix-finite but (R, U S) is not, 
there exists e € E such that 



is infinite. Here ) is the usual operation for relational composition. 

Proof. Consider relations R, S on a set E such that R is prefix-finite but (R U S) is 
not. Let 

Ro = ( RUS ). 

Since Rq is not prefix-finite, there exists e 6 E such that 

E' = {f | f^ej 

is infinite. Since R is prefix-finite, there should be infinitely-many elements of E' that 
are not related to e via R + . This means that the following subset of E' is infinite: 

E" = {/ | 3e f e E. f -^4 e f e}. 


Pick a witness e/ for each / in E" that satisfies the condition in the definition of E". 
Because of the prefix-finiteness of R, the set of these chosen witnesses e/ has to be 




finite. This means that one witness e/ is reused infinitely-many times so that it is related 
to infinitely-many different /’s in the set E" above. Let us denote this witness by e w . 
By the reasoning just given, the set 


E'" = {f\f^ e w }. 

is infinite. Now notice that E'" satisfies the following equality: 

17/// rr I 3 / p r R* / 5U (S-.H--.S) 

E ={/ | 3e f GE.f^e f - > e w }. 

Choose a witness e'j for each / e E"' that satisfies the condition in the definition of E'" 
above. This time the set of chosen witnesses is infinite. This is because otherwise 
there would exist one witness that is related to infinitely-many elements in E"' by 
R*, but the existence of such a witness contradicts the prefix-finiteness of R. Since 
there are infinitely-many witnesses e'f, the following set is also infinite: 


as claimed by the lemma. □ 

Lemma 29 For all relations Rq on E 0 , and Ri on E\, if 

Ro/~o = Ro A R 1 /~ 1 = R 1 a Rf = R 1 

A both R t and (R.q U (fi~ 1 (Ri)/ ~o)) are prefix-finite 
A every equivalence class o/~i is finite 

then ((0(iZo)/~i) U Ri) is prefix-finite. 


Proof. Let R' 0 = /3(Ro)/~i. For the sake of contradiction, suppose that (R' 0 U i?i) 
is not prefix-finite. Note that R\ is prefix-finite by assumption. By Lemma 28, there 
exists e £ E\ such that 


E[ = { f i / e} 

is infinite. Since every equivalence class of ~i is finite, the following subset of E\ is 
also infinite: 

E" = {/ | / —-—-^ e A / ffix e}. 

Now we can pick countably many elements fi, . from E” such that 

Vi,i > 1 -i^j fi'fil fj, 

because, again, every equivalence class of is finite. Since f t is in the domain of the 
relation R' 0 and R' 0 = /3(i?o)/~i, there exist /' ,... £ E {) such that 

(Vi,j > 1 .i*j =* K* /') A (Vi > 1. fi(f') fi). 



Also, since e is in the range of the relation R' 0 , there exists e! £ E 0 such that 

e ~i 0(e'). 

Recall that /,; e for every / > 1, and that 0 preserves ~o- Hence, for every 1 > 1, 
/?(/') t h 0(e') A f[ 7^0 e'. (25) 

Also, for every i, 

R ' 0 Utfl'jCfl'uit!)*;/?') 
fi -> e, 

so that 

(R'URi) + 

/i-f e. 

Since ( R' 0 U R \) + is ~ 1 -factored (Lemmas 23, 24 and 25), the above relationship and 
the property in (25) imply that 

0(f-) ( ' R ° URl ^ > 0(e') for every i > 1. 


Because of (25), we can apply Lemma 26 here and derive 




for every i > 1. 


This contradicts the prefix-finiteness of (Rq IJ (0 1 (i?i)/~o)), the assumption of this 
lemma. □ 


D.2 Generalised axioms and lifting operation 

For X e Exec and R C (X.E) 2 we write (X. R) \=ccs F if X |= F and X satisfies 
the following version of the axioms CausalVis and CausalAr, and the additional 
axiom PrefixFiniteAr / : 

CausalVis / . ((X.so U Xvis U R)/(X.~)) + n sameobj(X) C Xvis. 

CausalAr'. (X.so U Xar U i?)/(X.~) is acyclic. 

PrefixFiniteAr'. (X.so U X.ar U R)/(X.~) is prefix-finite. 

We write X |=ccs F if X \= F and X satisfies CausalVis and CausalAr (but not 
necessarily Eventual). 

For 

AT e Exec, u £ Obj, H’ £ Hist(w), R C ( H'.E ) 2 , .0 : X.E -> H'.E 

we define 

\\k{X,H',R,0) = {H', ((H'. so U (/3(X.vis) - id) U R)/(H'.~))+, 
i(H '.so U (0(X.ar) - id) U J2)/(ff , .~))+). 

Lemma 30 For all 

X £ Exec, u £ Obj, H' £ Hist(w), R C (H'.E) 2 , (0, p) : X.H -> H', 

if R' = H' .so U (ii/(ff'.~)) is acyclic and prefix-finite, and (X,0~ 1 (R! + )) satisfies 
CausalVis', CausalAr' and PrefixFiniteAr', then lift(V, H', R, 0) is an execu¬ 
tion satisfying CausalVis and CausalAr. 



Proof. Let 


X = ( H , vis, ar) = ((E, label, so, —), vis, ar); 

H' = (E', label', so', -'); 

vis' = ((so' U (/3(vis) — id) U ii)/~ / ) + ; 

ar' = ((so' U (/3(ar) - id) U -R)/—') + - 

Recall that (3 preserves — and reflects — 7 by Lemma 14. We will use this fact without 
mentioning it explicitly in this proof. 

We need to discharge the following four requirements: 

1. vis' C ar'; 

2. vis' and ar' are defined on the same object (in this case w); 

3. vis' and ar' are prefix-finite strict partial orders on E'; and 

4. ( H vis', ar') satisfies CausalVis and CausalAr. 

The first requirement holds because vis C ar, and vis' and ar' are obtained by applying 
the following monotone operation on those vis and ar: 

XR 0 . ((so' U (fi(Ro) - id) U R)/~')+. 

This operation is monotone because it uses only monotone operators; for the mono¬ 
tonicity of (—/— 7 ), see Lemma 23. The second requirement is an immediate conse¬ 
quence of the assumption that H' g Hist(cc). Since vis 7 and ar' are both transitive by 
definition and ar 7 includes vis 7 , the third requirement follows if we show that ar 7 is 
acyclic and prefix-finite. We will prove the acyclicity of ar 7 later when we discharge the 
last requirement, in particular, the CausalAr axiom. For the prefix-finiteness of ar 7 , 
we first notice that 


ar 7 = ((so 7 U (/?(ar) — id) U R)/~') + 

= ((so 7 /- 7 )U((/3(ar) - id)/- 7 ) U (R/-'))+ 

= (so 7 U ((/3(ar) - id)/- 7 ) U (R/-'))+ 

= (((/3(ar) - id)/-') U (so' U (R/~')))+ 

= (((/3(ar)-id)/- 7 )UR 7 )+ 

C((/3(ar/~)/~')Ui?'+)+. 

The second equality holds because the factoring distributes over union (Lemma 24), 
and the third follows from the fact that so' is —'-factored. The fifth equality just rolls 
the definition of R', and the last subset relationship uses the monotonicity of factoring 
(Lemma 23). Note that since R' is —'-factored, so is R' + (Lemma 25). Furthermore, —' 
is the equivalence relation from the history H 1 , all of its equivalence classes are finite 
sets. Thus, by Lemma 29, it suffices to prove the prefix-finiteness of 

R ,+ and (ar/—) U (/) -1 (ii' + )/—). 

By assumption, R' is prefix-finite, so R' + is prefix-finite as well. For the latter relation, 
we have 


( ar /~) U (/3 _1 (i?' + )/~) = (arU/T 1 (#+))/' 




since the factoring operation preserves union (Lemma 24). The RHS of the equation 
above is prefix-finite because ( X , fi~ l {R ,+ )) satisfies the PrefixFiniteAr' axiom. 

The rest of the proof focuses on showing the fourth requirement. 

CausalVis. We prove the axiom as follows: 

((so' U vis')/~')+ = ((so'/-') u (vis'/~')) + 

= ((so'/-') U (((so' U (/3(vis) - id) U £)/-')+/-'))+ 

= ((so'/-') U ((so' U (/3(vis) - id) U i?)/~')+)+ 

= ((so'/-') U ((so' U (/3(vis) - id) U R )/-'))+ 

= ((so' U (/3(vis) - id) U #)/-')+ 

= vis'. 

The first equality holds because factoring distributes over union (Lemma 24), and the 
second simply unrolls the definition of vis'. The third equality uses the fact that the 
set of factored relations is closed under transitive closure (Lemma 25), and the next 
equality is a simple fact on transitive closure. The fifth equality uses the distributivity 
of factoring over union (Lemma 24). The last equality is just the rolling of the definition 
of vis'. 

CausalAr. We need to prove the acyclicity of the following relation: 

(so' U ar')/~' = (so' U ((so' U (/?(ar) — id) U i?)/~') + )/—'. 

We simplify the RHS of this equation using properties of —': 

(so' U ((so' U (0(ar) - id) U #)/-')+)/-' 

= (so'/-') U (((so' U (/?(ar) - id) U #)/-')+/-') 

= (so'/-') U ((so' U 03(ar) - id) U i?)/~')+ 

= (so'/-') U ((so'/-') U (03(ar) - id)/-') U (i?/~'))+ 

= ((so'/-') U ((/?(ar) - id)/-') U (#/-'))+ 

= (so' U ((/3(ar) - id)/-') U (£/-'))+ 

= (((/3(ar)-id)/~')Ui?')+ 

= (((/3(ar) - id)/-') U (R'+))+ 

= (((/3(ar/~)-id)/~')U( J R' + )) + . 

The first equality uses the distributivity of factoring over union, the second follows from 
Lemma 25, and the third uses the same distributivity again. The fourth is an immediate 
consequence of the transitive closure operation, and the fifth equality holds because 
so'/—' = so'. The sixth equality rolls the definition of R'. The next equality is a simple 
consequence of transitive closure. The last equality holds because /3 preserves — and 
reflects —', so that 


mar) - id)/-') = ((/3(ar/~) - id)/-'). 



By our simplification above, it is sufficient to prove the acyclicity of the following 
relation: 

5 = ((/3(ar/~) - id)/-') U (#+)). 

Note that 

(#+)/-' = (so' U (Rh')) + H = (so' U (i?/-'))+ = R' + . 

The second equality holds because (so' U (7?/—')) is —'-factored (due to so'/—' = so' 
and Lemmas 23 and 24) and the set of —'-factored relations is closed under the transitive 
closure operator (Lemma 25). Furthermore, ar/~ is —factored (Lemma 23). Hence, by 
Lemma 27, to show the acyclicity of S, it suffices to prove the facts below: 

1. The relations R' + and ((ar/—) U (/3 _1 (7?/+)/—)) are acyclic. 

2. /3((ar/-) n -) — id C R'+. 

The acyclicity of R' + is one of the assumptions of this lemma. The other relation 
((ar/—) U (/3 _1 (7?'+)/~)) is same as 

(arU r 1 ^))/- 

by Lemma 24. Hence, its acyclicity follows from the fact that ( X , /3 _1 (7?'+)) satisfies 
CausalAr'. For the second condition, consider e, / € X.E such that 

a e (ar/ ~ )n ~> /. 

By the definition of factoring, the latter condition implies that e—> f and e — /. Since 
e — /, we have 

e i£>/ V f^e. 

The second disjunct here is not possible because it would contradict the fact that X 
satisfies the CausalAr axiom. Thus, the first disjunct holds, from which it follows 
that 

/?(e) /3(f). 

Since /3(e) ^ (3 (/) and f/3, p) is a morphism from X.H to H', the above relationship 
implies 

(m,m) e so' c r'+, 

as desired. □ 

Lemma 31 For all 

X € Exec, u € Obj, H' e Hist(w), R C (H'.Ef, (J3, p) : X.H H', 

if R' = 7/'.so U (/?/(//'.—)) is acyclic and prefix-finite, and (X,/3~ 1 (R ,+ )) satisfies 
CausalVis' CausalAr', tfien {[3, p) is a morphism from X to lift(X, H', R, (3). 



Proof. Let X = lift(X, H ', R, fi). By assumption, (/?, p) is a morphism from X.H 
to X'.H. Furthermore, X' is an execution by Lemma 30. Thus, it is sufficient to prove 
that 

/3(X.vis) — id C X.vis, jX^X.vis) fl sameobj(X) C Xvis, , 

0(Xar) - id C X.ar. C 

The first and the last requirements hold because by the definition of the lift operator, we 
have 

X.vis = ((H'.so U (/3(X.vis) — id) U R)/(H'.~)) + g £(Xvis) - id, 

X.ar = ((H'.soU(p(X.ar)-\d)UR)/(H'.~))+ D /?(X.ar) - id. 

The rest of the proof will focus on showing the second requirement in (26). During 
the proof, we will use the fact that 0 preserves ~ and reflects (Lemma 14), without 
mentioning it explicitly. 

Let R' = H'.so U (R/H'.~). To discharge the requirement, we use one important 
assumption that (X, 0~ 1 (R' + )) satisfies CausalVis': 

Xvis D ((X.so U X.vis U 0~ 1 (R' + ))/(X.~)) + n sameobj(X). 

Hence, the requirement follows if we show that 

((XsoU X.vis U/T 1 (.R ,+ ))/(X~))+ ,2 /Jr 1 (X.vis). 

By the definition of X', this proof obligation is equivalent to 

((X.so U X.vis U 0~\R'+))/(X.~))+ 

2 so U (/3(Xvis) - id) U R)/(H'.~))+). {Z/) 

But the RHS is the same as 

0~\((H'.so/H'.~) U ((/J(X.vis) - U (R/H'.~))+) 

because of the distributivity of the factoring with respect to the union operator 

(Lemma 24). Since H'.so/H = H'.so and R! = (H'.so U (R/H'.~)), 

0r\(H'.sou (03{Xvis) - idU (R/H'.~))+) 

= p~\(mx.s, is) - id)/X.~) U R') + ) 

= f((((^(X.v is) - id)/H'.~) U R' + )+). 

Meanwhile, the LHS of (27) is the same as 

((X.so/X.~) U (X.vis/X.~) U (/r 1 (i? ,+ )/X.~))+, 

because (—/X.~) distributes over union (Lemma 24). Hence, our proof obligation can 
be further simplified to 


((X.so/X~) U (X.vis/X~) U (/3- 1 (R'+)/X.~))+ 

2 P-Himx* is) - id)///'.~) U $!+)+). 


( 28 ) 



Pick e, / e X.E such that 


(((j3(X.vis)-id)/g'.~)Ufl'+) + ; 


0(f)- 


(29) 


We have to show that 

((X.so/X.~)U(X.vis/X.^)U(^- 1 (it'+)/X.~)) + 

e-> /• 

The rest of our proof uses case spht on whether e X '~) f. 

Assume that e - /. Then, 


»/ V /- 


(30) 


Note that the first disjunct implies the desired relationship in (30). The second disjunct 
also does, because it never holds. To see this, suppose that it did hold. Then, we would 
have 

0(f) = 0(e) V /3(/)/3(e). 

Both disjuncts here imply the presence of cycle in 

(((^(Xvis)-id)/F , .~)Ui? ,+ ) + = (X'.vis). 

This contradicts the fact that X is an execution (so its visibility relation is a strict partial 
order) (Lemma 30). 

Now assume that (e, /) ^ X.~. We weaken the relationship in (29) slightly and 
derive: 

(3i) 

Note that (Xvis/X.~) is X~-factored (Lemma 23), and also that R' + is X'.~- 
factored (Lemma 25). Hence, we can apply Lemma 26 to the relationship in (31), and 
obtain 

((X.vis/X.^)U(^- 1 (il'+)/W.^)) + 

e-> /, 

which gives the desired relationship in (30). □ 


D.3 Reformulation of data type denotations 

Recall that a relation R on a set Lisa partial equivalence relation if it is an equivalence 
relation on a subset Eq of E. This subset Eq is called the domain of R, denoted dom(f?,). 

For X € Exec and a partial equivalence relation R on X.E such that R C X.~, we 
let 

proj (X,R) = 

((XL| dom(iJ) , Xlabel| dom(fl) , Xso HR, X.~nR), Xvis| dom(iJ) ,Xar| dom(fl) ). 

Lemma 32 For all X e Exec and partial equivalence relations R on X.E such that 
R C X.~ and dom(i?) is finite, the projection proj(X, R) is also an execution. 




Proof. Consider an execution X £ Exec and a partial equivalence relation R on 
X.E such that RC X.~. Let 

((E, label, so, ~), vis, ar) = X, ((£', label', so', vis', ar') = proj(X, R). 
First, we discharge the requirements on Since i? C we have that 
R = (~ n R) = 


Hence, is an equivalence relation on dom(ii), which is equal to (J?ndom(i?)) = E’. 
Also, since is included in ~ and every equivalence class of ~ is finite, equivalence 
classes of are also all finite. Finally, for all e, / £ E', 

(e /) => ((e ~ /) A (e A /)) 

^ i“/)V(/“e))A(eA/)) 

=* ((e^/)V(/^e)). 

The last implication uses the symmetry of the partial equivalence relation R. 

Second, we handle the requirements on so'. Since so' is obtained by restricting so, 
it inherits the prefix-finiteness of so. By the same reason, so' is irreflexive. It is also 
transitive, because it is the intersection of two transitive relations so and R. Thus, to 
prove that so' is a total order on finitely many disjoint subsets of E', it suffices to find 
a partition £ of E' with finitely many components, such that two different elements in 
E’ are related by so' in one way or the other if and only if they belong to the same 
part of this partition. Recall that so is the union of total orders on components of some 
partition £e = {Ej}j e j of E. Let £ R be the collection of all equivalence classes of R, 
and define a new collection of subsets of (E n dom(i?)) = E' as follows: 

£ = {Ej n E r | Ej e £e a E r e £ R }. 

Then, £ forms a partition of E'. By construction, so' relates two different elements e and 
/ from E' in one way or the other if and only if e and / belong to the same component 
of this partition £. Also, since dom(/?) is finite by assumption, £ has only finitely many 
components. The remaining requirement on so' is that so' is ^'-factored. This follows 
from the fact that no £ E' satisfy 

e ~ e’ ~ / A (e ~ /). 

To see this impossibility, just notice that the above formula implies 

R , R J., R J. , , R J.S 

e —> d —> f —> f A /), 

which is impossible because R is transitive. 

Third, we discharge the conditions on vis' and ar'. Both are the restrictions of vis 
and ar by the same relation dom(i?) x dom(iZ), so they inherit the prefix-finiteness and 
irreflexivity of vis and ar, and relate events on the same objects only. Furthermore, by 



the same reason and the assumption that vis C ar, we have that vis' C ar'. It remains 
to show the transitivity of vis' and ar'. This is easy because vis' and ar 7 both are the 
intersection of two transitive relations: vis and E' x E' in the case of vis 7 ; ar and E' x E' 
in the case of ar 7 . □ 

The next lemma uses the notation of factoring 

S/R 

for partial equivalence relations R. The definition of S/R, in this case is the same as that 
for the original factoring in §3.2. 

Lemma 3 3 Let X S Exec be an execution and R a partial equivalence relations on 
X.E such that RC X~. 

1. If X .so is R-factored (i.e., (Xso/R) C Xso), and X satisfies CausalVis and 
CausalAr, then proj(X R) also satisfies CausalVis and CausalAr. 

2. dom(R) is closed under taking the inverse image with respect to Xvis, that is, 

{e | 3/ e dom(R). e /} C dom(R), 


VF. (X |= F => proj (X, R) |= F). 

Proof. Consider an execution X e Exec and a partial equivalence relation R on 
X.E such that R C X.~. Let 

((E, label, so, ~), vis, ar) = X, ((E', label', so 7 , ~ 7 ), vis 7 , ar 7 ) = proj(X, R). 

We first prove the claim of the lemma regarding the CausalAr and CausalVis 
axioms. Assume that A.so is -R-factored and the execution X satisfies CausalAr and 
CausalVis. 

Note that in order to prove proj(X, R) satisfies CausalAr, we just need to show 
that 

((ar 7 U so 7 )/~ 7 ) C ((ar U so)/~), (32) 

because X already satisfies CausalAr and the RHS relation above is already acyclic. 
Let us simplify the proof obligation in (32) slightly by reasoning about its LHS as 
follows: 

((ar 7 U so 7 )/~ 7 ) = ((ar 7 /~ 7 ) U (so 7 /~ 7 )) = ((ar 7 /~ 7 ) U so 7 ) C ((ar 7 /~ 7 ) U so). 

Here the first equality uses the distributivity of factoring over union (Lemma 24), the 
second uses the fact that so 7 is ~ 7 -factored, and the last subset relation holds because 
so 7 is defined as the intersection of so with R. Our transformation above implies that in 
order to prove (32), it suffices to show 


(ar 7 /~ 7 ) C ((ar/~) U so). 



Since ar' C ar as well, we can further simplify the above subset relationship to the 
following property: 

Ve, e 7 , /, f £ dom(iJ). ((e ~ 7 e 7 ^4 f ~ 7 /) A -.(e ~ 7 /)) (e (ar/ ~ )US °> /). 

(33) 

Pick e, e 7 , /, /' that satisfy the assumption of the implication in (33). If ~>(e ~ /), then 
e —— > /, because ~ 7 C ~ and ar' C ar. The desired conclusion in (33) follows from 
this. If e ~ /, we have 

(e -4 /) V (/ -4 e). 

The first disjunct immediately implies the conclusion of (33). The second disjunct is, 
on the other hand, not possible. Suppose that it was. Since e 76 7 /, we also have that 
e 7 /'. Furthermore, so is R- factored and ~ 7 is the same as /?,. Hence, we should have 
that 

f -4 e'. 

This means that (so U ar) is cyclic, which contradicts the assumption that X satisfies 
CausalAr. 

Our proof that projfX, R) satisfies CausalVis has a similar structure as the proof 
that we have just given. In this case, we should show that 

((vis'U so , )/~ / ) + C vis 7 . 

By definition, the LHS relation is defined over E', and the RHS relation is the same as 
vis n [E' x E'). Thus, the above subset relationship is equivalent to 

((vis 7 Uso , )/~ / )+ C vis. 

Meanwhile, since X satisfies CausalVis, we have that 
((vis U so)/~) + C vis. 

Hence, it suffices to prove that 

((vis 7 U so 7 )/~ 7 )' |E ((vis U so)/~). 

Recall that the factoring distributes over union (Lemma 24), and that so 7 and so are 
already factored via ~ 7 and ~, respectively. Hence, we can further simplify the above 
subset relationship as follows: 

((vis 7 /~ 7 ) U so 7 ) C ((vis/~) U so). (34) 

But so 7 = (so fi ~ 7 ) C so and vis 7 = (vis fl (E 1 x E')) C vis. Hence, one way to prove 
the subset relationship in (34) is to show that 

Ve, e 7 , /, f e E'. ((e ~ 7 e 7 4, f ^ /) A ^( e ~ 7 /)) =► (e (vis/ ^ )US °> /). (35) 
Pick e, e 7 , /, f from E' that satisfy the assumption of the implication above. If ->(e ~ 
/), then e v ’ s ^ > / and the desired conclusion of (35) follows. If (e ~ /), then 



If the first disjunct holds, the conclusion of (35) follows immediately. The second dis¬ 
junct, on the other hand, never holds. This is because otherwise we have f e', so 

that 

But we already have e' /', so by the transitivity of vis, we get e' —t e', which 
contradicts the irreflexivity of vis. 

We now move on to the next claim of the lemma. Assume that 

{e I 3/ £ dom(i?). e JE,VIS > /} C dom(i?). 

Consider a specification map F such that X |=F. We should show that proj(X, R) \= F. 
Let X' = proj(X, R). Pick e £ E' such that X'.obj(e) e dom(F). Define 

N = ctxt(X, e) and N' = ctxt(X', e). 

We need to prove that 

X'.rval(e) = F(X'.obj(e))(W'). 

This proof obligation can be discharged if we show that N = N'. This is because from 
this equality follows that 

X'.rval(e) = X.rval(e) = F(X.obj(e))(W) = F(X'.obj(e))(W'). 

Proving the equality N = N' is easy. Since dom(iZ) is closed under taking the inverse 
image with respect to X. vis and it is the same as E', we have that 

{f €E\ (/, e) e X.vis} = ({/ e E I (/, e) e x.vis} n E') 

= {f£E'\ {f, e) e X.vis x (E' x E')} 

= {f G E' \ (/, e) e X'.vis}. 

The desired equality N = N' follows from this. □ 

For a function /3 : E —» E' and a subset E' 0 C E', we define a partial equivalence 
relation on E as follows: 

per W,E' 0 ) = {(e, /) | e, f £ E A (3(e) = /3(f) A /3(e) £ E' 0 }. 

Corollary 34 For all objects c o, executions X £ Exec and X' £ Exec(w), mor- 
phisms (/3. p) : X —> X', specification maps F, and subsets E' 0 ofX'.E, ifE' 0 is finite 
and closed under the inverse image of X' m is, then the projection proj(X, per(/3, Ef)) 
is an execution. Furthermore, if X satisfies CausalVis, CausalAr, and F, then so 
does the projection. 

We sometimes denote the projection proj(X, per(3, E' 0 )) in this corollary using a sim¬ 
pler notation: 


proj {X,fi,E' 0 ). 



Proof of Corollary 34. Pick 


w € Obj, X € Exec, X' e Exec(w), (0,p) : X -¥ X\ F 

that satisfy the assumptions of this corollary. Also choose a finite subset E' 0 of X'.E. 
Let 

R = per(/3, E' 0 ). 

We will derive the claimed conclusion of the corollary using Lemmas 32 and 33. Specif¬ 
ically, we will show that 

dom(i?) is finite A RCX.~ A (X.so/R) C Xso (36) 

A {e | 3/ e dom(ii). e X ' v ' s > /} C dom(i?). 

The first conjunct of (36) is a consequence of the facts that E' 0 is finite and the 
inverse image of 8 for a finite set is also finite—the image should be the finite union 
of the event sets of histories selected from p(p, b) for some (p, b) but every history in 
p(p, b) has a finite event set. 

We move on to the second conjunct of (36). Consider e,f £ E such that e f. 
Then, /3(e) = /3(/) by the definition of R. Since X'.~ is an equivalence relation, this 
implies that /3(e) —F /3(/). Now we use the fact that /3 reflects the equivalence 

relation (Lemma 14), and conclude that e ——> /, as desired. 

Next, we prove the third conjunct of (36). Consider e, e’ , /, f £ X.E such that 

R i X.so j,/ R j, / R j.\ 

e ^ e -> f / A ~>(e > /). 

If —i(e /), we have that 

X.so/X.~ . 

e- > f, 

because R C W.~. But X.so is already X.~-factored, so e X ' so > /, as desired. Now 
assume that e ——> f. Then, 

(e^f) V 

The first disjunct is the very conclusion that we look for. The second disjunct, on the 
other hand, never holds. Suppose that it did. Note that 

/3(e) ^/3(/) A %e')*f3 (/') 

because -i(e f) but e —t e' and /' f. Then, by the definition of morphism, 

m ^ m A 

Since /3(e) = /3(e') and 8(f) = 8(f), the relationships above imply that X'.so is 
reflexive, which contradicts the fact that X'.so is a strict partial order. 



Finally, we show the last conjunct of (36). Pick e, / £ X.E such that 


/ € dom(i?) A e X ' v ' s > /. 

If /3(e) = /3(f) , then e A- /, so e should be in dom(i?). Otherwise, 

/3(e) 0(f). 

Recall that by assumption, E' 0 is closed under the inverse image of W'.vis. Furthermore, 
since / £ dom(i?), we should have that 0(f) £ E' 0 . Hence, 0(e) £ E' 0 as well. This 
means that e £ dom(i?). □ 

Lemma 35 For all objects ui, executions X £ Exec and X' £ Exec(w), morphisms 
(0, p) : X X’, and events e £ X' .E, we have the following well-formed abstraction: 

(0, p) : proj (X, R) (ctxt(X', e), e, X'.rval(e)) where R = per(/3, ctxt(X', e).£u{e}). 

Proof. Pick oj,X,X',(0,p),e. Let 

N = ctxt(X / , e), a = X'.rval(e), E N = N.E U {e}, 

R = per(0,E N ), X 0 = pro) (X,R). 

Since X'.vis is prefix-finite, N.E is finite. Hence, En is also finite. Furthermore, En 
is closed under the inverse image of X'.vis, because W'.vis is transitive. What we have 
just shown implies that proj(X, R) is a well-defined execution (Corollary 34). Let 

vis' = N.w is U {(/, e)\f£ N.E}, ar' = War U {(/, e) | / e N.E}. 

It suffices to show that 

(V/ e (N.E). (X 0 .Il)\ 9 :(/). gp(Waop(/),*'.rval(/))) 

A ((X 0 .H)y- He) £p(N.p,a)) A /3(W 0 .so) C id 
A /3(X 0 .~) C id A /3(X 0 .vis) — id C vis' 

A /3(X 0 .ar) — id C ar' A 0~’ 1 (v\s l ) fl sameobj(X 0 ) C W 0 .vis. 

The first two conjuncts of (37) hold because (0, p) is a morphism from X to X' and 
so, for every / £ En, 

(X 0 .H)\ p - m = (X.H)\p- m £ p(X'.aop(f),X'.™\(f)). 

The next two conjuncts of (37) are immediate consequences of the definitions of R 
and the projection proj/X, R), as shown below: 

0(X o .so) = 0(X.son R) C 0(R) C id, 

0(X O .~) = 0(X.~nR) C 0(R) C id. 




We prove the fifth conjunct of (37) as follows: 

/3(X 0 .vis) - id C OS(X.vis) - id) n ( E N x E N ) 

G X'.vis (~l (En x E n ) 

= vis 7 . 

Here the first subset relationship holds because X 0 .vis is a restriction of X.vis and it is 
defined over dom(7?) = /3 _1 (En). The next subset relationship uses the fact that (if p) 
is a morphism from X to X' . The following equality is an immediate consequence of 
the definition of vis 7 . 

The proof of the sixth conjunct is similar: 

P(X 0 .ar) - id C (/3(X.ar) - id) n {E N x E N ) 

C X'.ar n (En x En) 

= ar'. 

The first subset relationship uses the facts that Xo.ar is defined over dom(i?) and that 
it is a restriction of X.ar. The second subset relationship holds because (0, p) is a mor¬ 
phism from X to X' . The last equality comes from the fact that X'.ar is an acyclic 
relation and includes X.vis. 

Finally, we prove the last conjunct of (37) as follows: 

/3 _1 (vis / ) fl sameobj(X 0 ) C (/3 -1 (X.vis) n sameobj(X)) n (dom(7?) x dom(f?)) 
C X.visfl (dom(i?) x dom(i?)) 

= X 0 .vis. 

The first subset relationship uses the definitions of vis 7 and X 0 , the second comes from 
the fact that (/?, p) is a morphism from X to X' , and the following equality follows 
from the definition of Xj.vis. □ 

Proposition 36 For all 

F, X e Exec, w € Obj, H' e Hist(cu), R C (H'.E) 2 , : X.H -»■ H' 

if R' = (H 1 .so U (R/H'.~)) is acyclic and prefix-finite, and (X, /3~ 1 (R ,+ )) |=ccs F, 
then the following properties hold for X' = lift(X, H', R, ,6): 

1. X' is an execution, and satisfies CausalVis and CausalAr. 

2. (fS. p) is a morphism from X to X'. 

3. For every e € X'.E, if we let Flo = per(/3, {e} U ctxt(X', e).E), then 

proj(X, i? 0 ) ^cc F A (/3,p) : proj(X,i? 0 ) -> (ctxt(X', e), e, X'.rval(e)). 

Proof. The first property follows from Lemma 30, and the second from Lemma 31. 
For the third property, we note that since (X, /3~ 1 (R ,+ )) |=ccs F, 


^ hcc F. 




Pick e e X'.E. Let 


E N = {e} U ctxt(X', e).E and Ro = per(/3, E N ). 

Then, since X'.vis is prefix-finite, is finite. Also, it is closed under the inverse image 
of AT'.vis. Thus, by Corollary 34, proj(X, Ro) is an execution such that 

proj(X,F 0 ) Hcc F - 

Furthermore, by Lemma 35, we have the following well-defined abstraction: 

CM : proj(X,i? 0 ) -4 (ctxt(X , ,e),e,A , .rval(e)). 

□ 


Lemma 37 For all F, F and p, we have that 

ViV. V(X, a) e 7 (AT, p, F). F(N) = a 

if and only if for all 

X e Exec, w e Obj, H' e Hist(cc). F C ( H'.E ) 2 , /3 : X.E iF.F, 

we /rave tfiat 

(i/3,p) : X.H —H' A {H' .so IJ (R/H'.~)) is acyclic and prefix-finite 

A (X^^'-soU (F/F'.~))+)) |=ccs F) =► lift(X,F',F,/3) hcc [w ^ F] 

Proof. Consider arbitrary F, F and p. We show the equivalence in the proposition 
for these F, F and p. 

“Only if”. Pick 

X .6 Exec, w € Obj, 77' € Hist(co), F C (F'.F) 2 , 0 e [X.F —> F'.F] 

such that 

(fi, p) : X.HH' A (H'.so U (R/H'.~)) is acyclic and prefix-finite 
A (X, r 1 ((#'.:so U(F/F'.-))+)) KcsF. 

We need to show that 

\\ft(X, H',R,0) h [w>->-F]. 

Let 

X' = \ih(X,H',RJ). 

By Proposition 36, X' is an execution satisfying CausalVis and CausalAr. Hence, 
it is sufficient to prove that 

X>h^F]. 



Pick e £ X'.E. Then, 


X'.obj(e) = u. 


Let 


N = ctxt(X',e), a = X'.rval(e), and Ro = per(.L {<} U N.E). 
Then by Proposition 36, 

proj(X,i? 0 ) HcF A (/3,p) : proj(X,i? 0 ) ->• ( N,e,a). 

This implies that 

(proj(X, Ro), a) £-y(N,p,¥). 

Thus, by the assumption of the proposition, 


F(N) = a. 

We have just shown that X' |= [a; i—)■ F\, as required. 

“If”. Pick 

N and {X,a) £ ^(N, p,¥). 


We have to prove that 


F(N) = a. 

Since (X, a) £ 7 (N, p, F), there exist d and e such that 

e ^ N.E A {p,p):X^ (N, e,a) A X 
By the second conjunct here, for every / £ N.E, there exists a / 


He F. 

£ Val such that 


(X.H)\p- Hf) £p(N.aop(f),a f ). 

We abuse the notations slightly and let a e = a and W.aop(e) = N.p. Pick an arbitrary 
object oj £ Obj. Define an execution X' as follows: 

X'.E = N.E W{e'} A WMabel(/) = (w, JV.aop(/), a f ) (for all / e N.E U {e}) 
A X'.so = 0 A = id 

A W'.vis = W.vis U {(/, e) | / e N.E} 

A W , .ar = iV.arU{(/,e) | f£ N.E}. 


It is relatively easy to check that X' is an execution, if we do not forget to use the 
following facts: (i) X’.E = N.E U {e} is finite; (ii) e is not in N.E; (iii) both A'.vis 
and War are strict partial orders; (iv) A r .vis C War. Also, since (3, p) is an abstraction 
from X to (W, e, a), we have the following morphism from X to X': 


(3,p):X^X'. 


Let 


H’ = X’.H and R' = H'.so U (X'.vis/H'.~). 



Then, R' = A 7 .vis. Hence, it is acyclic. This also implies that R' is prefix-finite, be¬ 
cause it is defined over the finite set X'.E. We will next show that (X, /3 _1 (i? 7+ )) 
satisfies CausalVis', CausalAr 7 and PrefixFiniteAr 7 . 

Let us start with CausalVis 7 . Note that, since A 7 .vis is transitive, 

(3~\R' + ) = r 1 ((^ , -vis)+) = j3 _1 (A 7 .vis). 

Using A 7 .so = 0, A 7 .~ = id and properties of /3, we get 

/3(A.so U A.vis) - id = (/3(A.so) - id) U (/3(A.vis) - id) 

C A 7 .so U A 7 .vis 

= A'.vis. 

From these observations and the same fact that A 7 .so is the empty relation and A 7 .~ is 
the identity relation we derive the following equalities: 

((A.so U A.vis U p~ 1 {R ,+ ))/ A.~)+ 

= ((A.so U A.vis U /T 1 (A 7 .vis+))/A.~)+ 

= ((A.so U A.vis U /3 -1 (A 7 .vis))/A.~) + 

= (((A.so U A.vis)/A.~) U (/3 -1 (A 7 .vis)/A.~)) + 

= (((A.so U A.vis)/A.~) U /T^A'.vis)^ 

= ((A.so U A.vis)/A.~)+ U (/3 _1 (A 7 .vis)) + 

= ((A.soU A.vis)/A.~)+ U 3 ’(A 7 .vis). 

The first equality holds because R' = A 7 .vis, the second follows from the transitivity 
of A 7 .vis, and the third uses the distributivity of the quotienting over the relation union. 
The fourth follows from the fact that for all ei, e2, e 3 , e 4 £ X.E, 

((ei,e 2 ) £ A.~ A (e 2 ,e 3 ) £ ^(A'.vis) A (e 3 ,e 4 ) € A.~) 

=► ■ #*,«*) er'^'-vis). W 

The last equality holds because the inverse image of a transitive relation is also transi¬ 
tive. The most tricky part is the fifth equality. It holds because for all eo, e\ , e 2 , e 3 , e 4 e 
X.E, 

((eo, ei) £ A.~ A (ei, e 2 ) £ (A.so U A.vis) A (e 2 , e 3 ) € A.~ A (e 3 , e 4 ) £ ft 1 (A 7 .vis)) 
=£• ((eo, e 4 ) £ A.~ A (ei, e 2 ) £ (A.so U A.vis) A (e 2 , e 4 ) £ /3 ^(A 7 .vis)) 

((e 0 , ei) £ A.~ A (e 1; e 4 ) £ '§~\X' vis)) 

=$■■ (eo, e 4 ) € /?~ 1 (A 7 .vis), 

where the first and third steps use (38) and the second step uses the transitivity of A 7 .vis 
and the inclusion /3(A.soU A.vis) C (idU A 7 .vis). Because of what we have just shown, 

((A.so U A.vis U /3 -1 (fi 7+ ))/(A.~)) + n sameobj(A) 

= ((A.so U A.vis)/(A.~)) + n sameobj(A) U /T^A'.vis) n sameobj(A) 
C A.vis. 




The last subset relationship holds because X satisfies the CausalVis axiom and (/?, p) 
is a morphism from X to X'. 

To show CausalAr', we notice that 

£((X.soU X.vis UX.ar)/X.~)-id C X'.vis U X'.ar (39) 

and also that 

{X.so U X.vis U X.ar;|rf;i- 1 (i? ,+ ))/X~ 

= (X.so U X.vis U X.ar U 3~ 1 (X'.\,\s + ))/X.~ 

= (X.so U X.vis U X.ar U |5{X'.vis))/X.~ 

= ((X.so U X.vis U X.ar)/X.~) U 3 '(X'.vis). 

Furthermore, (X.so U X.vis U X.ar)/(X.~) is acychc. Thus, if (X.so U X.vis U X.ar U 
/r 1 (#+))/(*•-) is cyclic, this cycle should contain an edge from 3 1 (X'.vis). But 
in this case, because of (39), 3 maps this cycle to a cycle in X' that has edges only from 
X'.vis and X'.ar. This contradicts the fact that X'.vis U X'.ar is acyclic. 

The last axiom is PrefixFiniteAr'. Since (3, p) is a morphism from X to X' and 
X'.E is finite, X.E should also be finite. This implies the PrefixFiniteAr' axiom. 

We have thus established that (X, 3~ 1 (R ,+ )) satisfies CausalVis', CausalAr' 
and PrefixFiniteAr'. Since R! = X'.vis is acyclic and prefix-finite, 
lift(X, H', X'.vis, 3) is an execution satisfying CausalVis and CausalAr by 
Lemma 30. Furthermore, since X |=cc F and H' € Hist(w), by our assumption we 
have 

lift(X, H\ X'.vis, 3)\=[w^F}. (40) 

We now show a certain correspondence between lift(X, H', X'.vis, 3) and X'. First, 
their histories are the same since we chose H' = X'.H. 

Next, 

lift(X, H', X'.vis, /?).vis = ((H'.so U (/3(X.vis) — id) U X'.vis)/X'.~) + 

= ((/3(X.vis) — id) U X'.vis) + 

= (X'.vis)" 1 " = X'.vis. 

The second equality holds because H'.so = 0 and X'.~ = id. The third equality comes 
from the fact that (3, p) is a morphism from X to X' and so /3(X.vis) — id C X'.vis. 
The fourth follows from the transitivity of X'.vis. 

Third, 

lift(X, H', X'.vis, 3)- ar = (( H'.so U $(X.ar) - id) U X'.vis)/X'.~)+ 

= ((/3(X.ar) — id) U X'.vis)" 1 " 

C (X'.ar UX'.vis) + 

= (X'.ar)+ = X'.ar. 

The second equality holds because H'.so = 0 and X'.~ = id. The next inclusion holds 
because (3, p) is a morphism and so /3(X.ar) — id C X'.ar. The last two equalities use 
the facts that X'.vis C X'.ar and X'.ar is transitive. 



Thus, lift(X, H', X'.vis, 8) and X' are identical, except the latter may have a bigger 
arbitration relation. Since F preserves its value on arbitration extensions (Definition 2), 
from (40) we get 

X'^p^F}. 

This in turn gives 

a = X'.rval(e) = F(ctxt(X', e)) = F(N), 
as required. □ 


We compare specifications F, F' C Spec using the following order: 

FQF' 

if and only if 

ViV G Ctxt. N G dom(F) => (N e dom (F 1 ) A F(N) = F'(N)). 

Using this order, we define an operation that selects minimal specifications from a given 
set of specifications: for all T C Spec, 

max(T-) = {F G T | -.3 F' gF.F^F'aFQ F'}. 

Then from Lemma 37 we get 
Corollary 38 


{[r I- let {Xj = new Tj} j=1 „ m in {o(u in ) : n ou t = atomic {C 0 }} 0 eo ■ 0\rf\ = 

({F | Mobj G [{xj | j = 1 ..to} —h„j Obj]. 3F G [range(o&i) *-f Spec]. \ 

(Vi = l..m.¥(obj(xj)) G K]r?) A 

(VX G Exec. Vw G Obj. VfT G Hist (w). ViJ C {H'.Ef.Mp : X.E -► H'.E. 
(y3,l{CoUoi(obj)) : X.H ^ H> 

A (H 1 .so U (R/H'.~) is acyclic and prefix-finite) 

A (X, 8~ 1 ((H'.so U(R/H'.-))+)) hccs F) 

\ =► lift(X, H', R, fi) hcc [w F])} ) 


D.4 Soundness 

Throughout this section, we fix an object variable environment {xj : Oj \ j = l..rn} 
and a collection of commands 

{xj : Oj | j = 1 ..rn} | Uin,n out E C 0 , oGO. 

Definition 39 For H,H' G Hist we write (8,p,oj) : H => H' if the function 8 '■ 
H.E —> H'.E, summary p : AOp x Val —*■ 'P(FHist) and object cu G Obj are such that 

(Ve G H'.E. {H'. obj(e) ^ u => e G H.E A 8(e) = e A H.label(e) = ff'.label(e)) 
A (H'.obfie) =u =* eg H.E A H\ 0 -i (e) G p(77 , .aop(e), ff'.rval(e)))) 
*■£{#■») - id = (tf'.so)|^. E) 

A/3(FH = (F / .~)| /3( h. B) . 



We note that (0, p, co) : H84* H' implies 


Ve, f, g e II. E, /3(e) = 0(g) => 0(e) = 0(f) = 0(g), (41) 

for otherwise we would have 0(e) H s °> 8(f ) H ' s °> /3(g) and /3(e) = /3(g), contra¬ 
dicting the transitivity and irreflexivity of H'. so. 

Let 

(\C\>(obj,v) = {H | P € <C>(ofc» V (P,_) e <C)(o&j>)}. 
Proposition 40 Assume 

au{x-.o}\ z:\-c-, 

A U {#j : 0 7 | j = 1 ..to} | E b sti6st({(x, o) i-> C a \ o € O}, C). 

Then 

Vobj : dom(Zi U {xj : Oj \ j = l..m}) -> in j Obj. 

V(T : E —^ Val.Vw e Obj - range(oAj). 

VPe (\subst({(x,o) ^ C a \ oeO},C)ty(obj,o). 

3 H' e dCD(o^| 0 var-{x^..m}[a: ^ wW).3/3 : P.P -> H’.E. 

((0,l{C o }oeoi(obj | {a . b= i.. m} ),cc) :H=>H'). 

Let Pc range over clients: 

P c ::= (7i || ... || C n . 

We let 

<Ci || ... || C n )obj = {l+jj =i Hj | Vj = l..n. P 3 e [])} . 

Then the clause for the denotation of a client can be rewritten as 
ICi || ... || C n j(type,obj,¥) 

= {H | Pe (Ci || ... || C n ) obj A 3vis, ar. (P, vis, ar) |= C c F}. 
From Proposition 40 we get 
Corollary 41 Assume 

0 | Al){x : 0} b P c ; 

0 | id U {xj : Oj | j = l..m} b subst({(x, o) i-» C Q \ o e O}, Pc). 

Then 

Mobj : dom(Zl U {xj : Oj \ j = l..m}) -h n j Obj. Vw e Obj - range(o6j). 

VP 6 (su6st({(x,o) i-t C 0 | o e O}, Pc))obj. 

3H' e (Pc)(o6i|ovar-{xib=i.. m }[a: ^ os}).30 : P.P -> H'.E. 

((0,l{C o } oe oi(obj),u) : H ^ H'). 



We now discharge the most difficult case in the soundness direction of Theo¬ 
rem 21—that of the data-type-inlining reduction. 

Theorem 42 (Soundness) Let 

D = (let {xj = new T 0 } ]=1 m in {o(v in ) : u ou t = atomic {C 0 }} oe o); 

P 2 = (let x = new D in P); 

P 1 = (let {xj = new in subst({(x, o) 1-4 C 0 \o£ 0},P)), 

where P 1 and P 2 are complete. Then [P 1 ]cg C[P 2 ] CG- 
Proof. Let 


0 | {xj 0 : {o io }} U U {x : O} h P^; 

0 | {xio : {oio}} U A U {xj : Oj \ j = l..m} h P£ 

be the client parts of P 1 and P 2 , respectively, so that 

Pq = subst({(x, 6) i-4 C Q | o £ 0},P£). 

Consider any obj 0 : (dom(Z\) U {x, 0 } U {xj \ j = l..m}) -4; rj Obj such 
that obj 0 (x lo ) = io and F 0 : (range(o&) 0 ) — {io}) -4 Spec such that \fj = 
l..m.¥o(obj(xj)) £ [Ij|[]. Further, consider any execution 

= (Fo,vis 0 ,ar 0 ) = ((Eb,label 0 ,so 0 ,~o),viso,ar 0 ) £ [P<;]([], obj 0 ,¥ 0 ). 

In the following, we also use selectors such as obj 0 for this and other executions. We 
also take w £ Obj - range(o6? 0 ) and define obj' 0 = obj o|ovar-{^|j=i..m}[ a; ^ w ]. 
Let 


F = l D J[]> L = r ange(o6) 0 |{*4|^..m}); F o = ^olobj-L^ i-4 F]. 

The goal of the following development is to construct Xq such that 

observ(Wo.P) = observ(X".F) A X" £ [P c 2 ]([], obj' 0 ,¥' 0 ). 

Since X 0 £ |P^]([], o6j 0 ,F 0 ), we have H 0 £ {Pl)obj 0 and X 0 |= C c F 0 . From 
the former, by Corollary 41 for some 

H 'o = ( E o> label o- so o> ~o) e ( p c) oh J o (42) 

and /9 0 : H 0 .E -4 H' 0 .E we have (/3 0 , l{C 0 } oe0 j(obj),uj) : H 0 => H' 0 . 

Let 

F = F 0 |z,; obj = obj g \ {Xj \^i m} ; 

X = (F, vis, ar) = ((F, label, so, ~), vis, ar) = X 0 \ E 

and /? = 0q\ e for E={e\ objo(/3 0 (e)) = w}; 

H' = (E', label', so', ~') = H' 0 \ E , for E' = {e | obj' 0 (e) = w}; 



It is easy to see that 

(Ve e E obj(e) G L) A (Ve G E 0 — E. obj 0 (e) g L). (43) 

Then observ(// 0 ) = observ(i?o). We also have X G Exec, H' G Hist(cu) and 

(P,l{Co}oeoi(obj)):H^H>. 

For r C Eq x Eq we let lib(r) = rj e and client(r) = v\e 0 -e', for r C E' 0 x E^-we 
letlib'(r) = r\ E >. 

Let 

Q = A(((so 0 Uviso)/~o) + )-id; 

R = \\b'((so' 0 U (QM,))+); 

X' = (H 1 , ((so' U (/3(vis) - id) U tf)/~') + , ((so' U (/?(ar) - id) U R)/~') + )- 
Then, since F = [£>][], by Corollary 38 and Lemmas 30 and 31 we get 

((((i?/~ / ) U so') is acyclic and prefix-finite) A (X , /3~ 1 ((so / U (i£/~')) + )) |=ccs F) 
=► X> G Exec A X' hccs [w ^ F] A (/?, l{C 0 } oe0 i(obj)) :X^X’. 

(44) 

Proposition A: <5/~o « transitive. Take e',f',g' G E' 0 such that 




and consider three cases. 


L e' ~' 0 /' g'. Then 


Taking into account (0 O , l{C 0 } oe oj(obj),ui) : H 0 
Eq we have 


H’ 0 , for some 


A)(e)=e / ; /?o(/i) = Aj(/ 2 ) = = !?'; 

((so 0 Uviso)/~o) + , , ((so 0 Uvis 0 )/~o)+ 

e -► Jl ~0 72 -► 5 - 

Then e ~o fi ~o fi ~o 9 and, hence, 

e fi ~o h 9 

and any pair of the four events is related by soo. The case of g e contra¬ 
dicts (41); hence, e g. If ; 3 0 (e) = f ) 0 (g), then 


/' 


contradicting the properties of so' 0 . Hence, /3 0 (e) ± : 0o(g) and {e',g') G Q. 



2. /' 7^0 ( J ■ Then for some e\. f [, f ' 2 , g\ £ E' 0 we have 


e/ ~o e i ^ fi ~o J* ~o J2 * ~o d' ■ 

Hence, for some e-i. /), /' 2 , r/i G Eq we have 

/3o(ei) = ei; Po(fi) = fa Po{h) = fa M 91 ) = 9i, 

((so 0 Uvis 0 )/~o) + , , ((so 0 Uviso)/~o) + 

e l - > Jl ~0 J2 -> 9 1 

and /2 7^0 ffi- Because of the latter, for some £ E (j we have 


ei- 1 —> fi ~o y*2 - 

and / 2 7^0 /3- By the definition of factoring, this implies 


, , , ., . ((so 0 Uvis 0 )/~o) + 

and j 1 7^0 ffi, so that ei-► 51. 

Since /1 7^0 ffi, we cannot have ei ~o <j\■ if this were the case, then similarly to 
the above we would be able to show that 


h 


((so 0 Uviso)/~o) + 


ei, 


contradicting CausalAr for X 0 . Since /3o(e-|) = /3 0 (fl , i) implies e\ ~o 9\ , we 
get that /3o(ei) 7^ /3o(fli) and, therefore, (e^, <?i) e Q. Since ei 7^0 9i, we cannot 
have e' 7^0 and, hence, (e',g') £ Q. 

3- e' 7^0 /'. This case is analogous to the previous one. 


Proposition B: (so' 0 U (Q/~o)) + = so' 0 U ((sog)*; (Q/~' 0 ); (sog)*). Consider 
(e' 0 ,/o) e ( so o u (<2/~o)) + - Then there is a path from e' 0 to f' {) in so' 0 U {Q/~' 0 ). 
By Proposition A, Q/fa and sog are transitive. Hence, we can assume that the edges 
from these two relations alternate on the path. 

Consider first the case when all events on the path are from the same transaction 
according to ~g. Then every edge is in S0 q U Q and, since Q C Q\s, s (e 0 )* the path is in 

soo U ((sog)*; (so' 0 |^ 0 (Ba) u <3) + ; ( so o)*) 

C sop U ((so'o)*; ((^o(soo) - id) U Q)+; (so(,)*) 

G sog U ((so'o)*; Q + ; (so' 0 )*) 

C SO g U ((so'g)*; Q/~o; (so'o)*) 


as required. 

Assume now that the path contains events from at least two different transactions. 
We can ensure that the path does not contain edges 




SOqU(Q/~q) 






for ei e2, since, e.g., we can replace any sequence of edges 


sQqU(Q/~q), so'U(Q/~') v 


such that ei e2 * 


•' e n and e n e n+ \ by a single edge 

so(,U(Q/~')' 


for which e\ e n+ \. 

Assume the path contains a fragment of the form 

/ Q/~ 0 ft S °0 * Q /~'° Ut fAC\ 

e -* / — g - h ; (45) 

then e' /', f 96 q g' and g' /g h! . Then for some e' 0 , /g, g' 0 , h' 0 £ E' 0 we have 

e/ ~o e o * fo ~o / 7 * ^ ~o 50 * ^ ~o 

Hence, 

d ~o e o * fo ^ So * ~o 
Since Q C Q|^ o(Bo ), we have 

(fo,9o) e sool^^) = (A)(so 0 ) - id) C Q, 

and thus 


/ / / y w y / y 7/ / ,, 
e ~o e o —^ /o —So —> ho ~ 0 h,. 


This implies 


Then by the transitivity of Q/~o we get 


In this case we can thus replace the fragment (45) by this edge. 

Applying the above steps repeatedly, we can ensure that the path does not have 
fragments of the form (45), which means that (eg, /g) £ S0gU((s0g)*; (Q/~g); (sOq)*). 


Proposition C: sog U (Q/~o) is acyclic. By Proposition B and the facts that SOq and 
Q/~g are transitive and irreflexive, if there is a cycle in sog U (Q/~o)> then it can be 
converted into the form 


If e! /', then e' f and, hence, /' —e'. The latter implies /' e', 

which yields a contradiction with the acyclicity of Q/~g. 




Now assume e! /g /'. Then for some eg, /g € E' 0 we have 


e ' ~o e o * /o ~o / ^ e/ - 

This implies 

e 0 /o ^ e g, 

which yields a contradiction as above. ■ 

Proposition D: /3 _1 ((so' U (-R/~')) + ) = lib(((so 0 U vis 0 )/'~ 0 ) + ) - sameop, where 
sameop = {(e, /) | /3(e) = /3(/)}. By Proposition B we have: 

r 1 ((so / u(^/~o) + ) 

= ,3 '((so' U (lib , ((so( ) U (Q/~o)) + )/~ / )) + ) 

= 1 (lib / ((soo U (<5/~o)) + )) 

= r 1 ((so' 0 U(Q/~( ) ))+) 

= #3 1 (soj, U ((sog)*; (Q/~o); (so(,)*)) 

= /3- 1 (so / ) U /3 _1 ((sog)*; ((/3g(((sog U visg)/~o)+) - id)/~g); (soj,)*)- 
We have: 

'(so') PS-| _1 (so , | / 3( E) ) = /3“ 1 (.3(so) - id) = so - sameop. 

We now show 

J^ 1 ((s°o)*; ((A(((sogUviso)/~g) + )-id)/~o); (so'g)*) = lib(((so 0 Uvis 0 )/~g) + )—sameop. 
Take (e, /) e lib(((sog U viso)/~g) + ) — sameop. Then 

(/3(e), /3(f)) e /?(lib(((so 0 U vis 0 )/~ 0 ) + ) - sameop) = /3(((so 0 U vis 0 )/~ 0 ) + ) - id, 

which implies the required. 

Now take 

(e, /) e /3 _1 ((s 0 g)*; ((/3 0 (((so 0 U vis 0 )/~ 0 )+) - id)/~(,); (so{,)*). 


(/3(e),/3(/)) € (sOo)*;((^ 0 (((sOgUvisg)/~ 
Hence, for some eg, /g e E' 0 we have 

/3(e) 

Assume eg ~g /g; then 


■ id)/~o);(sog)*. 


* /?(/)• 




Therefore, for some e 0 , /o £ E such that /3(e 0 ) = e' 0 and (3 (Jo) = we have 


((so 0 Uviso)/~o) + t 


This implies 

((so 0 Uvis 0 ) /~o) "*" , 

e- >f. 

By Proposition C we have /3(e) fi /3(f), which, together with the above, establishes the 
required. 

Consider now the case when e' 0 fi' 0 f(. Then for some e \, f[ £ E' 0 we have 


m 1 


* fi ~o fo - 


fW) 


and o', /' 0 /(. 

If /9(e) ~' 0 eg, then /3(e) (s ° o) l/Mgo) > ^ ^ 

If 0(e) /o eg, then /3(e) fi e' 0 and /0(e) ( - $ ° o) l ' 3o(E ° ) > e'* efi 

We can make a similar argument for (3( f ) and /(,. Thus, for some e' 0 , f( £ E' 0 we 
have that 


0(e) 


* fi ~o fo 


Mf)- 


Then for some eo, ei, /o, fi £ E 0 we have 

0(eo) = e^; 0(ei) = e' i; /3(/ 0 ) = /d; 0(/i) = /(; 


and ei 7^0 fi- This implies 


By Proposition C we have (3(e) fi /3(f), which, together with the above, establishes the 
required. ■ 

Proposition E: soq U ar 0 /~ is prefix-finite. Assume there is e £ E 0 such that the set 


W e = {f J 7 


(sooUar 0 /~ 0 )+' 


e} 


is infinite. Recall that so 0 partitions events in E 0 into finitely many sessions. Let U e 
be the set of events in the same session as e. Since soo is prefix-finite and X 0 satisfies 
CausalAr, we can assume without loss of generality that W e fl U e = 0 and for every 
/ £ W e there exists e/ fi U e such that 


, ((sooUar 0 /~o)n(Bo-t^e) 2 )* (ar 0 /~o) 

/-> e/-e. 


Since aro is prefix-finite, the set {e/ | / £ W e } is finite. Hence, there exists e/ 0 such 
that 


{/I/ 


e/J 


((so 0 Uaro/~ 0 )*)n(igo-t/ e ) ; 





is infinite. Continuing repeatedly as above, after finitely many steps we can eliminate 
all the sessions except one, which contradicts the prefix-finiteness of soo- ■ 

Proposition F: (X, /3~ 1 ((so' 0 U (i?/~')) + ) |=ccs F. We first show that X satisfies the 
required axioms using the fact that Xq |=cc F 0 . 

- CausalVis'. Consider 

(e,/) 

£ ((so U vis U /? -1 ((soo U (-R/~')) + ))/~)+ n sameobj(X) 

= ((so U vis U (lib(((so 0 U vis 0 )/~o) + ) - sameop))/~)+ n sameobj(X) 

C ((so 0 U vis 0 )/~o) + n sameobj(Xo), 

(we used Proposition D). Then by CausalVis for X 0 we have (e, /) £ vis 0 . We 
also know obj(e) = obj(/) £ L, so that by (43) we get (e, /) £ vis. 

- CausalAr'. Using Proposition D, we get: 

((so U ar U r 1 ((so' 0 U (E/~0) + ))/~) + 

= ((so U ar U lib(((so 0 U vis 0 )/~o) + ) - sameop)/~)+ 

C ((so 0 Uar 0 )/~ 0 ) + . 

Hence, the validity of CausalAr for X 0 implies the validity of CausalAr' for 
X. 

- PrefixFiniteAr'. We need to show that (so U ar U /3 _1 ((so' 0 U (i?/~')) + ))/~ is 
prefix-finite. It is sufficient to prove that ((so U ar U 0~^{(so' o U (i£/~')) + ))/~) + 
is prefix-finite. Above we showed that 

((soUarU/3“ 1 ((so , 0 U(i?/~ , )) + ))/~) + C ((so 0 U ar 0 )/~ 0 ) + , 

which is prefix-finite by Proposition E. 

Let us now show that X \= F. Consider e £ E\ then obj(e) £ L and, in particular, 
obj(e) 7^ io. From (43) it follows that ctxt(A 0 , e) = ctxt(V, e) and 

rval(e) = rval 0 (e) = Fo(obj 0 (e))(ctxt(A 0 , e)) = F(obj(e))(ctxt(X, e)), 

as required. ■ 

Proposition G: ((i?/~') U so') is prefix-finite. Similarly to how it was done in Propo¬ 
sition D we get 


((f?/~) U so') + = s0q U ((soq)*; (<3/~o); (so' 0 )*). 
Since so(, is prefix-finite, it is sufficient to show that for any e, the set 


is finite. Since Q = /3q(((soo U viso)/~o) + ) — id, this follows from Proposition E. ■ 




From Propositions C, F, G and (44) we then get X' |=ccs [w i-> F] and 


(P,l{Co}oeoj(obj)):X^X'. (46) 

Let 

vis' 0 = client(viso) U ((so' U (/3(vis) — id) U i?)/~') + ; 
ai-Q = client(ar 0 ) U ((so' U (/3(ar) — id) U -R)/~') + ; 

Xq = (HQ,v\s' 0 ,ar' 0 ). 

Proposition H: For S = 8 0 (( (so 0 U ar 0 )/~ 0 )+) - id, 

- S/^q is transitive; 

- (so'o u (5/^))+ = so'o U ((soq)*; (Sy~' 0 ); (so' 0 )*); 

- so'o u {SHo) is acyclic. 

Proved the same way as Propositions A, B, C. ■ 

Proposition I: X' {) e Exec, X' 0 |=ccs ®o an ^ satisfies the following version of 
Eventual; 

Ve e E' 0 . objo(e) ^ w => 

vis / (47) 

-■(3 infinitely many f e E' 0 . sameobj(ATo)(e, /) A ->(e -A /)). 

Since ar 0 and X'.ar are prefix-finite, we have that so is ary. We now show that Xq 
satisfies the required axioms. 

- CausalAr. We have: 

((so'o u ar o)/~o) + 

= ((so'o u client(aro) U ((so' U (/3(ar) - id) U #)/~') + )/~o) + 

= ((so'o u A)(client(ar 0 )) U 
((so' U (3(ar) — id) if; 

lib'((so(, U ((A,(((so 0 Uvis 0 )/~o) + ) - id)/~ , 0 ))+))/~ , ) + )/~o) + 

C so'o u ((/3o(client(ar 0 )) U (/3 0 (((so 0 U ar 0 )/~ 0 ) + ) - id))/~(,)+ 

= (so'o u ((^o(((so 0 U ar 0 )/~ 0 )+) - id)/~' 0 ))+. 


Let 

S = /3 0 (((so 0 U ar 0 )/~ 0 ) + ) - id. 

It is thus enough to show that the relation soq U (<S , /~q) is acyclic. This follows 
from Proposition H. 

- CausalVis. We need to prove 


((so'o u vis o)/~o) + n sameobj(A'o) C vis' 0 . 



Using Proposition B we obtain: 
vis'o 

= client(viso) U ((so' U (/3(vis) — id) U i?)/~ / ) + 

= client(viso) U ((so' U (/3(vis) — id) U 

Iib , ((s 0 { ) U ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - 'd)/~o)) + ))/~') + 

= client(viso) U ((lib'((so , 0 U ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) ~ id )/~o)) + ))/~') + 

= client(viso) U lib , ((so , 0 U ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - id)/~o)) + ) 

= client(viso) U lib'(so' 0 U ((so(,)*; ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - id)/~o); (so(,)*)); 

((soq U viso)/~o) + 

= ((soq U client(viso) U 

lib'((so' 0 U ((/3o(((soo u vis 0 )/~o)+) - id)/~(,))+))/~' 0 )+ 

C ((soq U client(viso) U (so' 0 U ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - id)/~' 0 )) + )/~o) + 

I (so'o u ((M(so 0 U viso)/~o) + ) - id)/~o))' • 

= soq U ((soq)*; (IM(( soo U vis 0 )/~ 0 ) + ) - id)/~' 0 ); (soj,)*). 

Hence, we need to show 

(soqU ((soq)*; ((/3o(((so 0 Uvis 0 )/~ 0 ) + ) - id)/~o); (soo)*))nsameobj(Xo) C 
client(viso) U fib'(so' 0 U ((sOq)*; ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - id)/~o); (soq)*)). 

Let 


(e', /') £ (soq U ((soq)*; ((/3 0 (((so 0 U vis 0 )/~ 0 ) + ) - id)/~{,); (so' 0 )*)) 

*. Jp sameobj(X ( ', ). 

Then either e',f' £ E’ or e',f £ E' 0 — E'. The former case is obvious. Consider 
the case when e! , f £ Eq — E'. If (e', /') £ so' 0 n sameobjpCg), then (e', /') £ 
soo n sameobj(Xo) C viso, and thus (e', /') £ client(viso). The remaining case is 
that 

e ((so' 0 )*; ((A(((so 0 U vis 0 )/~ 0 ) + ) - id)/~' 0 ); (so' 0 )*) n sameobjpQ. 
As in the proof of Proposition D, we can show that this implies 

g / ((sooUviso)/~o)+^ 

and, hence, 

(e', /') £ ((so 0 U vis 0 )/~o) + n sameobjpfg) C vis 0 , 

as required. 

- (47). Assume that for some e £ E' 0 such that objg(e) ^wwe have 

3 infinitely many / £ E’ 0 . sameobj(Xo)(e, f) A->(e —^ /). 

Then all /s are in Eq — E and, correspondingly, ->(e /), yielding a contradic¬ 

tion with Eventual for X 0 . 



Finally, let us show that X' {) |= Fq. Consider e G E' 0 such that objo(e) / io. 
Given (43), it is easy to see that ctxt(Xo,e) = ctxt(X 0 ,e), if objo(e) ^ u, and 
ctxt(Xg, e) = ctxt(X', e), otherwise, from which the required follows. ■ 

Proposition J: There exists X ( " G Exec such that 

Xq |=cc K A X o- h = Hq A Xg.vis 2 Xg-vis A Xg.ar D X^.ar. 


By Proposition I we have Xq |=ccs Fq an| J (47). Hence, the following holds for 
y = X' 0 : 

^NxsF'q A Y.H = Hq A F.visDX'.vis A F.arDX'.ar (48) 
A Y |{e|obj'(e)#a;} = X o\{e\ob}' 0 (e)^u}> 

Ve € E' 0 . objo(e) ^ u =>■ (49) 

->(3 infinitely many / G E' 0 . sameobj(Xo)(e, /) A ->(e y,vis > /)); 

(P, UCoUoKohj)) : X F| { e|obj'(e)= w} . (50) 

Consider an arbitrary execution Y satisfying these conditions. If Y satisfies Even¬ 
tual, then we can let Xq = Y. Otherwise, there exist events e G E' 0 such that 

3 infinitely many / G E’ 0 . ob/ 0 (e) = obj' 0 (/) A ->(e -^4 /). (51) 

From (49) it follows that for all such events e we have objo(e) ^ ui. Out of all events e 
satisfying (51), let us take an event eo that is minimal in ((soq UF.vis)/~o) + , i.e., such 
that there does not exist an event e G E' 0 for which (51) holds and 

((so(,UY.vis)/~;,) + 

e- )■ e 0 . 


Let 


J 0 = {e | e ~q e 0 A (51) holds}; 

J = {f&E' 0 | 3e G J 0 . objo(e) = obj' 0 (/) A -(e /)}. 

As in Proposition E, we can show that ((soq U y.ar)/~o)+ is prefix-finite. Hence, there 
are at most finitely many / G J such that 


Let Ji be the subset of J resulting from removing all such / as well as all / such that 
/ ~Q eo; then J\ is infinite. 

Next, let 


G={eeE' 0 | 


((S0oljy.vis)/~o)- 


e 0 V (e ~o e 0 Ae £ J 0 )}; 



then G is finite and (51) is false for every e £ G by (47) and the choice of eo and Jo. 
Let 

G' = {g £ E' 0 I 3e e G. obj' 0 (e) = obj' 0 (si) A -.(e -^4 g)}\ 
then G' is finite. Hence, there are only finitely many f £ Ji such that 


Let J 2 be the subset of Ji resulting from removing all such /. Then J 2 is infinite. 

Since Y .vis 3 X[ y v\s D /3(vis) and X satisfies Eventual, there are at most finitely 
many f £ Ji such that obj(/3 _1 (/)) fl obj(/3 _1 (Jo)) ^ 0. Let J' be the set of such / 


J 3 = J 2 -{/' | 3/e J'.f 


r , ((S0ouy.vis)/~o) + u^ 


>/}• 


Then J3 is still infinite. Finally, take some element e £ J3 that is minimal in ((so' 0 U 
y.vis)/~o) + , i.e., 

r< Ik# S. . , ((S0'UV.vis)/^-')+' 


J4 = J3 - {e' | e ~ 0 e'}. 

To summarise, J4 includes all but finitely many f £ E' 0 such that 
3e € J 0 . obj' 0 (e) = obj'(/) A -n(e ^ /) 
and for any / £ J4 we have: 

°bj(/3 -1 (/)) n obj(/3 _1 (Jo)) ^ 0; 

“■(/ ~o e 0 ); 

, ((so'UU.ar)/~') + 


" '3e € Jo. / - 

Ve,^ e Eq. (objg(e) = obj' 0 (g) A (e 


((sOgUKvis)/~o) J 


(53) 

(54) 

(55) 


e 0 V (e e 0 A e ^ J 0 )) 
y.vis^ ^ 

(56) 


Let 


U = {(e, /) | e e J 0 A / e J 4 A obj' 0 (e) = obj' 0 (/)}. 
y' = (H' 0 , y.vis U U, (y.ar U U) + ). 

We now show that Y’ |=ccs F' 0 . We start by showing that Y’ satisfies CausalAr. 
Assume there is a cycle in 

(so' U(y.arU(/)+)K. 

Then there is also a cycle in 


(sOq U y.ar U U)/~' 0 




Since Y |=ccs Eg, the cycle has edges from U/~' 0 . Without loss of generality we can 
assume that there is a single such edge on the cycle (the cycle can be transformed to 
ensure this), so that the cycle is of the form 

, EV~' ,, «so'uy.ar)/~J)+ , 

e - > j - > e 

for some e',f £ E' 0 . Then by (54) we have 

* ((so'ur.ar)/-'^ 

/-* eo 

for some f £ J\, which contradicts (55). Hence, Y' satisfies CausalAr. 

We now prove that Y' satisfies CausalVis. Consider e,g £ E' 0 such that 
objo(e) = obj(,(g) and 

((so^ur.visU!7)/-i) + 
e- > g. 

If the path from e to g contains only edges from (soq U y.vis)/~ q, then, since Y satisfies 
CausalVis, (e, g) £ y.vis and we are done. Now assume that the path contains edges 
from (7 /~q. Without loss of generality we can assume that there is a single such edge 
on the path, so that the path is of the form 

((so'Uy.vis)/~(,)* , U /~’ 0 , ((sOq UU.vis) /~q )* 

e ->• e -)• / - g 


for some e',f £ E' 0 . Hence, we have 

((so(,uy.vis)/~i)* , , „ U ,// ((so^yv,s)/^tt’U^o 

e-> e -o e —> / -> .9 

for some e" £ Jo and f" £ J 4 . If e e', then the above implies 


e 


((so'uy.vis)/~') + ' 


eo 


and by (56) we have (e, g) £ y.vis. If e ~q e! and e 0 Jo, then by (56) we again get 
(e, g) £ y.vis. The only remaining case is e £ Jo, so that 


„ ((sOoUy.vis)/~o) + l> 


9- 


Assume (e, g) £ y.vis. We show that g £ J4, so that (e, g) £ U C y'.vis. This follows 
from the following claims: 

- We cannot have g ~q eo. For in this case we would have 


eo 


U ) j,,, ((S0ouy.vis)/~o) + u~o^ 


9 


e 0 . 


By (54), this implies 


((so(,uy.vis)/~o)+ > 


eo, 


which contradicts (55). 



- We cannot have 


((so'uy.ar)/-')- 


for any e'" £ Jq. For in this case we would have 


By (54), this implies 

j.„ ((sOoUy.vis)/~o) + ' 

which contradicts (55). Hence, g £ J\. 

- There cannot exist e \, e 2 such that 


(ei - 


> eo V (ei ~g eo A ei 0 Jo)) A 


objo(ei) - objo(e 2 ) A-.(ei - 


> e 2 ) A, 


((so(,uy.vis)/~(,) + l 


For in this case we would have 


((S0o uy. vis) /~o) + U~o ((so'uy.vis)/-')+U~' 

/ - >9 - > e 2, 


which implies 


Hence, 


((so'uy.vis)/~') + U~' ) 


e2- 


, ((so(,uy.vis)/~J) + , , / T \\ . 

(ei- > e 0 V (ei ~ 0 e 0 A e\ 0 Jo)) A 

■ ■/ / \ i */ / \ a , YV* X . ,// ((so'Uy.vis)/~y+i^ 

objo(ei) = obj 0 (e 2 ) A ->(ei->■ e 2 ) A / - )■ e 2 . 


which contradicts /" € J 4 . Hence, < 
Since 

j,„ ((sOpUy-vis)/^. 


g A f" € J 4 , 


we also have g £ J 3 and g £ J 4 . This shows that Y' indeed satisfies CausalVis. 
Finally, from (53) and (50) we get that 


08 , [{aioeoKoftj)) : x -»• F'ltelobjiCe)^}- 

From this and Y |= Fq, by Corollary 34 and Lemma 35 we get Y' |= Fq. 

We have thus shown how to convert an execution Y satisfying (48) and (49) into 
an execution Y' satisfying the same properties, but containing fewer events invalidating 
Eventual. Continuing this ad infinitum, in the limit we obtain the desired Xq. In 
particular, the prefix-finiteness of Xq .vis and Xq .ar is ensured by the removal of finitely 
many elements from J 3 in (52). ■ 





By (42) we have H' 0 £ ( Pl)obj ' 0 ; therefore, by Proposition J, X," £ 

[/>|I([]. o6jQ, Fq). We have also previously established observ(i7 0 ) = observ(i?Q). 
We have thus shown the following: 

Vo&) 0 : (dom(/A) U {x io } U {xj \ j = l..rn}) —^nj Obj. 

VF 0 : (range(o&? 0 ) - {io}) -> Spec. 

Vw £ Obj - range(o&7 0 ). ( obj 0 (x- lo ) = io) A (Vj = l..m.¥ 0 (obj(x j )) = [T)][]) => 
VX 0 e[P c 1 l([],o6i 0 ,Fo).3^. 

X 0 ® [-Pcldl. 0& ioloVar-{ a; ,U=l..m}[a:H>w],Fo|obj-range( 0 6j 0 | {X;j | ;( . =1 .. m} )[wH-[[D][]]). 

A observ(X 0 .f?) = observ(Xo .if). 

It is easy to see that this implies the statement of Theorem 42. □ 

D.5 Completeness 

Let us again fix an object variable environment {xj : Oj \ j = l..m} and a collection 
of commands 

{xj : Oj | j = l..m} | Win, «out I - C 0 , o G O. 

Lemma 43 Consider executions X, X ', X' 0 , Y', object ui and abstraction (J3, p) such 
that 

X ' = X o\{e\X^.ob](e)=u} A Y' = X' 0 1{ e |W',obj(e)#w} A X.E fl Y'.E = 0 A 

X.obj (X.E) n X(,.obj (X' 0 .E) =0 A (P,p):X->X'. 

Let 


X 0 = ((: Y'.E l±l X.E , Y '.label l±l X.label, 

X'.so U X.so U {(e, /) | e £ Y'.E A / £ X.E A (e, /?(/)) £ X'.sojrU 
{(e, /) | e £ X.E A / £ Y’.E A (/3(e), /) 6 X^.so}, 
y'.~ U X~ U {{e, f) | e £ Y'.£ AfGX.EA (e, /?(/)) £ X£.~} U 
{(e, /) | e £ X.E A / £ F'.£ A (/3(e), /) 6 X'.-}), 

F'.vis U Xvis, F'.ar U Xar). 

(57) 

If X' 0 and X are causally consistent, then X) is a causally consistent execution. 

Proof. We first show CausalAr. Then it is easy to check that Xj is indeed an exe¬ 
cution. Let /3' : Xo .E —y X’ 0 .E be defined as follows: 

/3'(e) = (if e £ X.E then /3(e) else e). 

From (/3, p) : X —)■ X' and the constraint on p in the assumptions of the theorem, we 
get that for all e, / £ X 0 .E: 

(e,/)eX).ar =* (/3'(e), /3'(/)) £ X ' 0 .ar U (id n (X'.£) 2 ); 

(e, /) £ X 0 .so fc# (/3'(e), /3'(/)) £ X'.so U (id n (X'.£) 2 ); 

(e,/) £ X 0 .~ «=► (8'(e), 3'(f)) £ X'.~. 




Hence, 


Ve, /. (e, /) e (X 0 .so U X 0 .ar)/(X 0 .~) (58) 

=*► me), 0'(f)) £ (X'.so U X',ar)/(X'.-) U (id n (X'.I?) 2 ). 

Assume there is a cycle in (X 0 .so U Xo.ar)/(Xo.~). Consider first the case when 
0' maps all events on the cycle to the same event in X' 0 ; then all of these events belong 
to X.E. Consider two adjacent events e, / £ X on the cycle. Since /6(e) = (6(f), we 
have (e, /) £ X.~ and e and / must be related by X.so. But then (e, /) £ X.so U X.ar 
and, since X is causally consistent, it must be that (e, /) £ X.so. Thus, the existence 
of the cycle contradicts the acyclicity of X.so. 

If (6’ maps at least two events on the cycle to different events in X' 0 , then (58) 
implies that (6' maps the cycle to one in (X 0 .so U Xo.ar)/(Xo-~), contradicting causal 
consistency of Xo. 

We now show CausalVis. Consider (e, /) £ (Xo.soUXo.vis)/(X 0 .~). Similarly 
to the above, we can show that either 

O0'(e),/?'(/)) e (X'.soUX'.vis)/(X'.~) 
or /3'(e) = (6'(f) and (e, /) £ X.so. Now consider 

(e 0 , /o) e ((X 0 .so U X 0 .vis)/(X 0 .~)) + A sameobj(X 0 ). 


Then either 

(/3'(eo),/3'(/o)) € ((X'.soUX'.vis)/(X'.~))+ Asameobj(X') 

or /3'(e o) = (6'(fo) and (eo,/o) € X.so. In the latter case we have (eo,/o) € X.vis 
since X is causally consistent. In the former case we get (/6'(e o), 0'(fo)) € Xg.vis since 
Xq is causally consistent. If 0'(e o ), 0'(f o ) £ Y'.E, then (e 0 ,/ 0 ) = (0'(e o ), 0'(f o )) 
and (e 0 ,/ 0 ) e X 0 .vis. If 0'(e o ), 0’(fo) € X’.E, then ((6,p) : X -> X' implies 
(e 0 , /o) £ X.vis C X 0 .vis. 

Finally, Eventual for X 0 trivially follows from Eventual for X and X' 0 . □ 

Lemma 44 Let 

[0 h let {xj = new Tj}j=i.. TO in (o(u in ) : u out = atomic {C' 0 }}oeo : 0][] = F 

and consider X' £ Exec(cc) such that X' f=<x [u> i—^ F], Further, consider obj £ 
[{a?j | j = l..m} —>inj Obj] and let F € [range(o6j) —> Spec] be such that Vj = 
l..m.¥(obj(xj)) = |Tj] []. Then there exists X £ Exec such that X |=cc F and 
(P, l{C 0 }oeoj(obj)) : X -a X'for some 0. 

Proof. We construct the required execution X as a limit of a sequence of executions 
constructed for fragments of X'. 

Consider a finite set of events E C X'.E that is closed under X'.so -1 and X'.ar -1 
and let Y' = X'\e- It is easy to see that Y' |=cc [w i—> F], Assume we have constructed 
Y £ Exec such that 

(00 ,p):Y^Y' A Y (=cc F 



for some /?o- If Y' = X', we are done. Otherwise, let us choose an event eo G X'.E—E 
that is minimal in X'.so U X'.ar, i.e., 

->3e € X'.E - E. e x '- soUX '- ar > eo . 

Let X' 0 = X'\ Bu{e 0 }; then X' (: |=cc [w i->- F], Note that eo that does not have succes¬ 
sors in X[ y so U Xy.ar. We now construct Xq g Exec such that 

(Po,p):X 0 ^X' 0 A XoKcF. 

Let p = l{C 0 } oe0 i(obj), N = ctxt(X£, e 0 ) and a = X' 0 .rva\(e 0 ). Since X' 0 (= C c 
[<u F], we have F(N) = a. Therefore, by Propositions 17 and 20, we get 

3/3, Z, Z'. (N , e 0 ) Z' A (/3, p) : Z -4 Z' A Z |= cc F A a = Z'.rval(e). 

Let W' = Z'\ N , E and W\ = Z\ /3 -i^ N E y From (/3 ,p) : Z -4 Z' and Z |=cc F it 
follows that 

(P\p- 1 (N.E),p)--Wi^W l A Wi |=cc F. 

Let 

W 2 = ((/3q 1 (iV.£;),F.label| /3 -i (JVE) ,y.so| {(ei/) | / 3 o(e)= ^ o(/)} ,y.~| {(ei/) |^ o(e)=/ 3 o(/)} ), 
5/r - vis l/3- 1 (Ar.B)>^- ar l/3- 1 (JV.B))- 
From (/3o ,p) : Y —> Y' and Y |= C c F it follows that 

HW \N.E V P) :W ^ W ' A W 2 \=CCW. 

Then by Theorem 19 we get that W 2 W\ for some n : W 2 .E —>-bij Wi-E such that 
V/ G W 2 .E. fio(f) = /3(7t(/)). 

Without loss of generality we can assume that Y.E n Z.E = 0. Let 
X 0 = 

((Y.E W /3 _1 (e 0 ), y.label W Z.label| 5 i ((;u) , 
y.sou Z.so|^-i (eo) U {(e,f) I e G Y.E A / G ^(eo) A (/3 0 (e),e 0 ) G X'.so} 

UZ.~|^- 1(eo) U {(e, /) | ,e.G Y.E A/ € jff-^eo) A (/3 0 (e),e 0 ) G l£ 

{(e,/) | e G r 1 (eo) A/g 7JA (e 0 ,/3 0 (/)) G X£.~}), 
y.vis U Z.vis| i g-i (eo | U {(e, /) | e G W 2 .E A / G /^(eo) A (7r(e), /) G Z.vis}, 

R + ), 

where 

i? = F.ar U Z.ar|^-i (eo) U {(e, /) | e G W 2 .£ A / G #“%<,) A (7r(e), /) G Z.ar} 

U {(e, /) | e, / G W 2 .E A (7r(e), tt(/)) G W^ar}. 

Let fi' : Xq.E —> X' 0 .E be dehned as follows: 

/3'(e) = (if e G Y.E then /3 0 (e) else e 0 ). 




We first show /T(Xo.vis) — id C Xg.vis and /3'(Xo.ar) — id C Xg.ar. Since (/ 3o,p ) : 
Y —> Y', we have 

/3'(y.vis) — id C y'.vis C Xg.vis. 

Now consider e £ W 2 -E and / e 0~ 1 (eo) such that (7r(e), /) 6 Z.vis and 
/5o(e) = /3'(e) ± /?'(/) = e 0 . 


We have 

(^(7r(e)),/3(/)) = (^o(e),eo). 

Then since (0,p) : Z Z', we get 

(/3'(e),/?'(/)) = (Aj(e),e 0 ) € tf.vis C X'.vis. 

This shows /T(Xo.vis) — id C Xg.vis. We can similarly show /T(Xo.ar) — id C Xg.ar. 

We have ($'. p) : X 0 .H — » X' 0 .H by the construction of X 0 . To show (0 r , p) : 
Xo —» Xq it remains to establish /3 ,_1 (Xo.vis)nsameobj(Xo) C Xy.vis. Since (80, p) ■ 
Y —> Y', we have 


0’ 1 (y , .vis) fl sameobj(y) C y.vis C X 0 .vis. 


Now consider 

e' e Y'.E, e^0Q l (e') CY.E, f £ 0~\e o ) C Z.E 

such that (e',eo) £ X' 0 .\/is and y.obj(e) = Z.ob](f). We need to show that (e,/) £ 
Xo.vis. Since (e',eo) £ Xp.vis, we have e! £ Z'.E, so that (e',eo) £ y'.vis. Then 
7r(e) £ Z.E. Since W\ w„. W 2 , we have 

(0(7r(e)),/?(/)) = (0o(e), e 0 ) = (e',e 0 ) £ # vis 


Xobj(7r(e)) = y.obj(e) = y.obj(/). 

Taking into account (0, p) : Z —» Z’ we get (7r(e), /) € y.vis, which implies (e, /) £ 
Xo.vis, as required. Hence, (0',p) : Xq.H —> X’ 0 .H. 

We now show that X 0 satisfies CausalAr and CausalVis, similarly how we 
proceeded in the proof of Lemma 43. This implies that Xo is an execution. 

Since {0', p) : X 0 -> X' 0 , for all e, f £ X 0 .E: 

{e, f) £ X 0 .ar => (0'(e),0'(f)) £ X'.ar U id; 

(e, /) £ X 0 .so =► (/3'(e),/3'(/))eX'.soUid; 

(e,/) £ X 0 .~ ^ (0'(e),0'(f)) £ X' 0 .~. 


Hence, 


Ve, /. (e, /) e (X 0 .so U X 0 .ar)/(X 0 .~) 

(0'{e) J(f)) £ (X'.soUX'.ar)/(X'.~)Uid. 




Assume there is a cycle in (Yq.so U Xo.ar)/(Xo.~). Then there is also a cycle in 
(A 0 .so U -R)/(X 0 .~). If /?' does not map all events on the cycle to the same event 
in Xq, then the above shows that /3' maps the cycle to one in (Xq.so U R)/(X' 0 .~), 
contradicting causal consistency of X’ 0 . 

Consider now the case when /?' maps all events on the cycle to the same event 
e' £ X’yE. Consider (e, f) £ (A 0 .soUf?,)/(X 0 .^) such that fi'(e) = fi'(f) =e , .Then 
(e,/) £ X 0 .~. Hence, (e,/) £ X 0 .so UR and either (e,/) £ X 0 .soor (f,e) £ X 0 .so. 
It is easy to see that we cannot have (e,/) £ X 0 .so and (/, e) £ X 0 .so. Assume 
(e, f) £ R and (/, e) € X 0 .so. If we had (e, /) e Y.ar or (e, /) e Z.ar \ 3 then 
this would contradict the causal consistency of Y or Z. Hence, we can only have 

e,f£ W 2 .£?A(7r(e),7r(/)) € W^ar 

and (/, e) e Yso. Then A 0 .obj(e) = X 0 .obj(f) and, since Y is causally consistent, 
we have (/, e) 6 Y.vis and, hence, (/, e) £ Y. ar. But, together with the above, this 
contradicts W 2 Wj. Thus, we must have (e, /) £ X 0 .so. In this way, we get a cycle 
in A 0 .so, which we cannot have by the construction of X 0 . We have thus established 
that Xo satisfies CausalAr. Then CausalVis is shown as in the proof of Lemma 43. 

Finally, we prove that X 0 |= F. Consider e 6 X 0 .E such that A 0 .obj(e) £ dom(F). 
First assume that e £ Y.E. Since Y |= F and Yar C A 0 .ar, we have 

Xo.rval(e) = Yrval(e) = F(Y.obj(e))(ctxt(Y, e)) = F(X 0 .obj(e))(ctxt(A 0 , e)), 

as required. 

Assume now that e £ /3 -1 (eo). Since Z \= F, we have 

A 0 .rval(e) = Y.rval(e) = F(Y.obj(e))(ctxt(Z, e)) = F(A 0 .obj(e))(ctxt(Y, e)) 

We now establish a correspondence between ctxt(Y, e) and ctxt(X 0 , e). First, of all, 
we have ctxt(Xo, e).p = X 0 .aop(e) = Z. aop(e) = ctxt (Z,e).p. We now show that 
there is a bijection between the events in these contexts. 

- Consider / £ ctxt (X 0 ,e).E. Then (/, e) £ A 0 .vis and, hence, either / £ W 2 .E 
and ( 7 r(/), e) £ Y.vis or f £ /3 _1 (eo) and (/, e) £ Y.vis. For / £ ctxt(X 0 , e).E 
let 

7r'(/) = (if / e W 2 .E then 7 r(/) else /). 

Then / £ ctxt (X 0 ,e).E implies n'(f) £ ctxt (Z.e).E, so that tt' : 

ctxt(X 0 , e).E -A ctxt(Y, e).E. 

- Consider f £ ctxt(Y, e).E. Then (/'. e) e Y.vis and, hence, either f £ /? _1 (eo) 
and (/', e) e X 0 .vis or /' e Wi-E 1 and ( 7 r _1 (/ / ), e) e A 0 .vis. Thus, if (/', e) e 
Y.vis then for some / e ctxt(Xo, e).E we have 7r'(/) = /'. 

Hence, 77 ' is a bijection. 

Consider /, g £ ctxt(Xo, ej.L C IY 2 .E U ( S _1 (eo). We have the following cases: 

- J'-U ? ('■())• Then 

(/,S') e ctxt(A 0 ,e).vis 


{«■'{/), tt' ( 3 )) = e Y.vis. 




- / G W 2 .E and g £ ,3 '(«,,). Then 

(/,<?) ectxt(X 0 ,e).vis «=* (7r / (/),7r / ( 5 )) = ( 7 r(/), 5 )eZ.vis. 

- f,g £ W 2 .E. Since W 2 fas*. Wi, we get 

(/, 5 .) €ctxt(X 0 ,e).vis <f=f (n'(f)y(g)) = (n(fU( 9 ))£Z.v\s. 

Hence, 7r'(ctxt(X 0 , e).vis) = ctxt (Z, e).vis. 

We now prove a similar statement about arbitration. Consider (/, g) £ ctxt(Z, e) .ar; 
then f,g £ W\.E U /3 _1 (eo). We have the following cases: 

- f,g £0r i (e o ). Then 

(7r , “ 1 (/),7r , “ 1 (5)) = (/,5) G ctxt(X 0 ,e).ar. 

- f £ W X .E and g £ 3 '(f: 0 ). Then 

(7r , “ 1 (/),7r , “ 1 (5f)) = g) £ X 0 .ar. 


- /,je Wi.-E.Then 

(7 T'-\f)y~\g)) = (vr 1 (/),rr '(//)) G X 0 .ar. 

Hence 7r _1 (ctxt(Z, e).ar) C ctxt(X 0 , e).ar. 

From the above correspondence between ctxt(Z, e) and ctxt(X 0 , e) and the prop¬ 
erties of data type specifications, we get 

X 0 .rval(e) = F(A 0 .obj(e))(ctxt(Z, e)) = F(X 0 .obj(e))(ctxt(X 0 , e)), 

which establishes X 0 \= F. Hence, X 0 |=cc F. 

Applying the above construction of Xq from Y ad infinitum starting with E = 0 
and empty Y and Y', in the limit we obtain X £ Exec such that 

(0 r p) : X X' A X |= CCS F 

for some 0 (in particular, the prefix-finiteness of X.ar follows from (0. p) : X —> X'). 

We now show that X satisfies Eventual, thereby establishing X |=cc F. Assume 
Eventual does not hold, i.e., for some e £ X.E we have 

3 infinitely many / £ X.E. sameobj(A)(e, /) A ->(e X vis > /). 

Let {fk}kL i be a set of such fs. Since for any / £ X'.E, 3~ 1 (f) is finite, we can 
assume without loss of generality that /3(e) 0 3{fk) for any k and 3(fj) ^ 3{fk) for 
any j and k such that j 7^ k. But then, since (6, p) : X —> X', we have 

-(/5(e) 0 (/ fc )), 


for k , which contradicts Eventual for X '. 



Proposition 45 Assume 


AU{x :0}\ S\- <7; 

A U {xj : Oj | j = l..m} | £ \~ subst({(x, 6) i-» C Q \ o £ O}, C). 


Vobj : dom(Z\ U {x : O} U {xj : Oj \ j = 1 ..to}) —> inj Obj. 

V<r : X? -► Val. VP, P'. V/3 : H.E —f P'.P. 

(((/3, [{a}oeo](o6i| {x3 ^|.. m} ), o&j'(x)) : H => H') A 
-ff' e (|C , D(o6j|oVar-{x ; ,|j=l..m}> cr )) 

=> Pe (|sM&sf({(x,o) i-4 <7 0 | o e O}, C)|)( o6 J|ovar-{x}), a). 

Corollary 46 Assume 

0 | A U {a; : 0} b P c ; 

0 | A U {xj : Oj | j = 1 ..to} h sufcsf({(x, o) i-4 C 0 | o e O}, Pc). 


Vo6j : dom(Z\ U {x : O} U {xj : Oj \ j = 1 ..to}) ->j n j Obj. 

VP,P'.V/3 : 11.E-+ W.E. 
m UCoUoUobj ro} ), o6j(*)) 

H' € (Pc)(0&i| 0 Var- {a; ,|i=l.. m} )) 

=► H e <«t*6«t({(x, 0 ) ^ C 0 I o e 0},P c ))(o6i|ovar- { x}))- 

Theorem 47 (Completeness) Lei 

£> = (let {xj = new Tj in {o(v in ) : u ou t = atomic {(7„}}„ fc o); 

P 2 = (let x = new D in P); 

P 1 = (let {xj = new in s«&sf({(x, o) H | o g 0},P)), 

where P 1 ant/ P 2 are complete. Then [P 2 ]cg CUP 1 ] CG- 
Proof. Let 

0|{x io :{a io }}UZiU{x:O}hP 2 ; 

0 I {*io : {o io }} U A U {Xj : Oj \ j = l..m} h P£ 
be the client parts of P 1 and P 2 , respectively, so that 

Pc 1 = subst({(x,o ) ^ C 0 I o e 0},Pc). 

Consider any o&jg : (dom(Z))U{xio, x : O}) —>j n j Obj such that obj' 0 {x to ) = ioand 
Fq : (rang e(obf 0 ) - (io>) ->■ Spec such thatF^(o6/ 0 (x)) = [£>][]. Let obj' 0 (x) = w. 
Further, consider any execution 

^oe[i?ia.l,o6/o,r 0 ). 



Then 


X' q .H e (Pl)obj' 0 A X'hcc r 0 . 

Let X' = ^ol{e|x'.obj(e)=u}- Pick any obj : {xj \ j = 1 ..to} —hnj Obj such that 
range(oftj) n range(o6/ 0 ) = 0 and let F e [range(oftj) -*• Spec] be such that Vj = 
l..rn.F(o6j(xj)) = [!)][]. It is easy to check that X' 0 |=cc Fq implies X' |=cc 
\uj ([£>][])]. Then by Lemma 44 there exists X and 8 such that X |=cc F and 
(8, [{Cojoeo] (obj)) : X —¥ X' for some 8. Without loss of generality we can assume 
that X.E n X' 0 .E = 0. 

Let Y' = Xq\{ e \ X ' .obj(e)^w} and let X {) be defined by (57). Then by Lemma 43, Xq 
is causally consistent. Define 

obj 0 : (dom(Zl) U {xi 0 } U {xj \ j = —h„j Obj; 

F 0 : (range(o6j 0 ) - {io}) -> Spec 

as follows: obj 0 (xj) = obj(xj) and obj 0 (x) = obj' 0 (x) for all other x; Fo(u/) = .F(i</) 
fora/ € range(«/y j and F 0 (u/) = f|(u/) for all other X. It is easy to see that X 0 \= F, 
so that X 0 |=cc F. 

Let 8' '■ X 0 .E —> X'q.E be defined as follows: 

8'(e) = (if e e X.E then 8(e) else e). 

From (8,\{ G o)oeo\(obj)) : X X' it follows that (8', l{C 0 } 0 eo\(obj), u>) : 
X.H => X'.H. Then, since X’ 0 .H e (Pl)obj' 0 , by Corollary 46 we have X 0 .H € 
(Pl)obj 0 . As we also have X 0 |=cc F, we get X 0 e [f c |({] 5 o&j 0 ,F 0 ). Furthermore, 
observ(X 0 .F7) = obser v(X' 0 .H), as required. □ 

E Proof of the social graph data type and additional examples 

E.l Proof of the social graph data type 

We now prove that the data type from Figure 3 has the specification F soc from §5 as its 
denotation. Take any 

obj £ {friends[a\, requesters[a] \ a = 1..N} —^ n j Obj 

and let F = Xu>. F RWset . Let p = |{ C 0 } oe o}(obj), where O is the data type signature 
and C 0 are the commands from Figure 3. It is easy to check that for any context N over 
the data type operations we have 7 (N, p, F) / 0. We now prove that for any context N 
we have 

VX,c.(X,c)€i(N,p,W) => c = F soc (N) 

by induction on the size of N.E. Consider a context N such that \N.E\ = n and assume 
the above holds for all contexts with \N.E\ < n. Let 

N = ( p, M), E' = N.E, aop' = W.aop 

and vis 7 and ar' are as in Definition 7. 



Take (X, c) € j(N,p,¥), where X = (H, vis, ar) = ((F, label, so, ~), vis, ar) (we 
also use derived selectors, such as obj). Then for some eo £ E' and 8 we have 

(P,p):X^(N,e 0 ,c)AX^ccV. 

Hence, for some {c/ G Val | / G E'} we have 

(V/ £ E'.Hlp-ufi e p(aop'(/),c/)) A 
(ff|^- 1 (eo) ep(p,c)) A ft(H.so) C id A /3(F.~) C id 

and ( 10 )-( 12 ) hold. 

From the induction hypothesis and Lemma 35 it is easy to establish 

V/ G E'. Cf = F soc (ctxt(M, /)). (59) 

We need to show that c = F soc (N). 

Let us first consider the case when p = get (a). Then we have: 

fst(c) = 

{b | 3e G E. obj(e) = obj(friends[a\) A aop(e) m add( 6 ) A 

V/ G E. obj(/) = obj(e) A aop(/) = remove( 6 ) => / e}; 

snd(c) = 

{b | Be G E. obj(e) = obj(requesters[a\) A aop(e) = add(6) A 

V/ G E. obj(/) = obj(e) A aop(/) = remove( 6 ) => / e}; 

fst(F S 0 C (W)) = 

{b | Be G E '. (aop'(e) = accept(( 6 , a) \ (a, b))) A F S 0 C (ctxt(M, e)) A 
V/ G E'. (aop'(/) G breakup(( 6 , a) \ (a, b ))) A F S 0 C (ctxt(M, e)) 

snd(F soc (AT)) = ^ 

{b | Be G E'. (aop'(e) = request( 6 , a)) A F soc (ctxt(M, e)) A 

V/ G E'. (aop'(/) G (accept | reject)(( 6 , a) | (a, 6 ))) A F soc (ctxt(M, e)) 
=> /^e}. 

- Take b G fst(c). Then for some e G F we have 

(obj(e) = o 6 j(/nends[o]) A aop(e) = add( 6 ) A V/ € F. obj(/) = obj(e) (60) 
Aaop(/) = remove( 6 )) => / —e. 

Then aop'(/3(e)) G accept(( 6 , a) | (a, b))), = true and by (59), 

F soc (ctxt(M, /3(e))) = true. Consider / G E' such that 

(aop'(/) G breakup(( 6 , a) | ( a,b ))) A F soc (ctxt(M, e)). 

Then / 7 ^ /3(e) and by (59) we have c/ = true. Hence, for some e' £ E such that 
/3(e') = / we have 


obj(e') = o&j(/ r * eru M a D A aop(e') = remove(6). 



Then by (60) we have e! —>• e. By (10) this entails / -—4 /3(e). This shows 
b £ fst(F soc (N)). 

Take b £ ht(F soc (N)). Then for some e £ E' we have 

(aop'(e) = accept((6, a) \ (a, b ))) A F soc (ctxt(M, e)) A 
V/ £ E'. (aop'(/) £ breakup((6, a) \ (a, b))) A F soc (ctxt(M, e)) (61) 

^ / ^e. 

By (59) we get c e = true. Hence, for some e! £ E such that 0(e') = ewe have 
obj(e / ) = obj(friends[a]) A aop(e') = add(6). 

Consider f £ E such that 

°bj(/) = obj(e') A aop(/) = remove (6). 

Then aop'(/3(/)) £ breakup((6, a) | ( a,b )), = true and by (59) we have 

F soc (ctxt(M,/?(/))) = true. Hence, by (61) we have /?(/) -^4 /3(e'). Then 
by (11) we have / —> e', which shows that b £ fst(c). 

Take b £ snd(c). Then for some e £ E we have 

(obj(e) = obj {requesters [a]) A aop(e) = add(6) A V/ £ _E.obj(/) = obj(e) 

A aop(/) = remove(6)) => / -^4 e. 

(62) 

Then aop , (,5(e)) = request(6, a) and cp( e ) = true. Also, by (59), 
i ? soc (ctxt(M, fi{e))) = true. 


Consider f £ E' such that 

(aop '(f) £ (accept | reject)((6, a) \ ( a,b ))) A F soc (ctxt(M, e)). 

Then / ^ /3(e) and by (59) we have c/ = true. Hence, for some e' £ E such that 
P(e') = f we have 

obj(e / ) = obj(requesters[a\) A aop(e') = remove(&). 

Then by (62) we have e' —> e. By (10) this entails / —> /3(e). This shows 
b £ snd(F soc (AT)). 

Take b £ snd (F soc (N)). Then for some e£ E’ we have 
(aop'(e) = request(6, a)) A F soc (ctxt(M, e)) A 

Vf £ E'. (aop'(/) £ (accept | reject)((6, a) \ (a, b))) A F soc (ctxt(M, e)) 

f (63) 




Fig. 8. A shopping-cart data type. We use some syntactic sugar and a generalisation removeAll 
of the remove operation of AWset. 

D cart = let [items = new AWset; 

inline resol ve(book) = { 

var entries = {( book,n ) | ( book,n ) € items. get}; 

items. removeAll(entnes); return nmx({n | (_, n) € entries} U {0})}} in { 
inc(6oofc, n) = atomic { var m = resol ve(book)-, items.a.dd(book, m + n) }; 
d ec(book,n) = atomic { var to = resolve(feoofc); 

if (to — n > 0) then items.add(book, m — n) }; 
count (book) = atomic { var to = resolve(feoofc); items. a.dd(book, to); v out = to } } 


By (59) we get c e = true. Hence, for some e/ £ E such that P(e') = e we have 
obj(e / ) = obj(requesters [a]) A aop(e') • add(6). 

Consider f £ E such that 

°bj(/) = obj(e') A aop(/) = remove (6). 

Then aop'(/3(/)) £ (accept | reject)((6, a) | ( a,b )), Cp0 = true and by (59) 
we have F S0C (ctxt(M,/?(/))) = true. Hence, by (63) we have /?(/) —A /3(e'). 
Then by (11) we have / —¥ e', which shows that b £ snd(c). 

The above establishes c = F soc (N). 

We now consider the case when p = accept (b, a); the others are analogous. We 
have 

F soc (N) = (b£ snd(F soc (get(a),M))) 
and 

c = true •£=> (3e e E. obj(e) = obj(requesters[a]) A aop(e) = add(6) A 

V/ £ E. obj(/) = obj(e) A aop(/) = remove(6) =>■ / e). 

But we have already shown that the above is equivalent to b £ snd(F soc (get(a), M)), 
as required. □ 

E.2 A shopping-cart data type 

The example appearing in Figure 8 implements a shopping cart for an online book¬ 
store. Conceptually, a shopping cart is a map from book titles to non-negative integers, 
representing the number of copies requested. The data type provides three operations: 
inc(book, n) and dec (book, n) for increasing or decreasing the count associated with 
a book by a positive integer n, and count (book) for querying the count (an operation 
giving the full cart contents can be implemented similarly). The cart can be accessed 
concurrently in different sessions, e.g., by spouses. This can lead to conflicts when the 



Fig. 9. (a) A context of the data type in Figure 8; and (b) an execution belonging to 
sation. We use the same conventions as in Figure 5. 

its concreti- 

(a) 

inc(6,2) inc(6,3) 

d>) a>.get(b): 0 :cu.get (by. 0 

<w.removeAll(0): :w.removeAll(0) 

tu.add((/>,2)) :w.add((6,3)) 


eo: count(6): 3 

./: (xg^!(6,2)f(A3)r 

(u.removeAll({(f>,2), (b, 3)J) 
cu.add((6,3)) 



count for the same book is updated concurrently, as in the context shown in Figure 9(a). 
Our implementation takes one possible choice of resolving such conflicts so that in¬ 
creases win against concurrent decreases or smaller increases; this results in customers 
buying more. Thus, its denotation returns 3 on the context in Figure 9(a). 

The implementation represents the cart using an add-wins set that stores pairs of 
a book ordered and the corresponding positive count. Multiple concurrent updates to 
the count of the same book result in separate entries (book, m),..., (book, rik)', see the 
event / in the execution in Figure 9(b), which concretises the context in Figure 9(a). 
To resolve such conflicts, an operation involving the book replaces the above entries 
by their maximum rna,x{n-|,..., n A: } (implemented by the macro resolve). Using an 
add-wins set to represent items is crucial for the correctness of our implementation: it 
ensures that removeAll in resolve removes only the entries it computes the maximum 
of; in a remove-wins set it would also cancel all concurrent operations. 

Below we prove that the shopping cart data type has the following specification 
-Peart as its denotation in our semantics. Informally, F caxt applies the sequential se¬ 
mantics of shopping cart (formalised by the function G below) to all maximal paths 
of events in visibility in the context (where maximality is given with respect to the 
subsequence order) and takes the maximum of the results: 

F caxt (inc(book, n),M) = F cart (dec(book, n), M) = _L; 

F cart (count (book), M) = max({0} U {G(7T, 0) | n is a 

maximal vis-path of events in M.E that operate on book}), 

where G(n, m) are defined as follows: 

G(e,m) =m 

G(eTT, m) = G(n, max {0, m—n}) if M.aop(e) = dec(book, n) 

G(e-K, m) = G(tt, m+n) ifM.aop(e) = inc(book,n ) 

G(eTT, m) = G(tt, m) otherwise 

Thus, Fcart explains the outcome of operations in the distributed setting M in terms of 
their sequential executions consistent with visibility: the number of copies of book is 
the maximum possible value that can result from such executions. 





Proof of the shopping-cart data type. Let {C 0 } 0 eo be the implementations of op¬ 
erations of the shopping-cart data type. We will prove that 

VAT. Ve. Vobj 6 [{items} —* in j Obj]. VF. VX. V/3. 

(e £ (N.E) A F (obj(items)) = F AWset A (p, [{<J*y obj ): X^(X, e, _) A X \= cc F) 

3e 0 e /3 -1 (e). X.op(e 0 ) = get A 

\/book. max ({0} U {n | ( book,n ) G X.rval(eo)}) = F cart (contains(&ooA;), N.M), 

(64) 

where N.M is the partial operation context of M (i.e., M except the first component of 
the applied operation). 

Before proving this implication, we show that it entails the correctness of our spec¬ 
ification F cart for the shopping-cart data type. Consider 

N, eg (N.E), obj G [{items} ^ inj Obj], F, X, p, c G Val 

such that 

¥(obj(Uems)) = F AWset A (p, l{C 0 } oe0 jobj) : X (N, e,c) AX hcc F. 

We need to show that F csxt (N) = c. By the dehnition of (/3, \{C 0 } oe o\obj) : X —> 
(N, e, c), we have 

(X.H )G l{C o } oeO } 0 bj(N.p,c). (65) 

Recall that the shopping-cart data type implements only three operations, that is, those 
in O = {inc, dec, contains}. Hence, by the semantics of {C 0 } oe o, the set member¬ 
ship in (65) implies that for some nonnegative integers book' and n', 

(. N.p = inc(book',n') A c = 1) V ( N.p = dec(book',n') A c = 1) 

V (N.p = contains(6oofc / )). 

It is easy to see that the desired F cart (N) = c follows in the first two cases. In the third 
case, we use (64) and deduce that 

3e 0 € /? -1 (e). X.op(e 0 ) = get A 

^max ({0} U (n | (book', n) G X.rval(e 0 )}) = F cart (contains(6oofc / ), N.M)^j. 

By (65) and the definition of |{C' 0 } oe o] (in particular, the part for Contains), the LHS 
of the above equation is equal to c. But the RHS of the equation is precisely F cart (iV). 
Hence, the above equation implies that F cart (N) = c, as desired. 

We now go back to the proof of (64). Consider 

N, e £ (N.E), obj G [{items} —h n j Obj], F, X, p 

such that 


¥ (obj (items)). = F A 


A (p,l{C o } oeO } 0 bj):X^(N,e,-) 
A X hcc F. 



We should show that 


3e 0 e # 1- (e). X.op(eo) = get A 

(vbook. max ({0} U {n | (book, n) eX.rval(eo)}) = F calt (contains (book), N.M)j, 

where N.M is the partial operation context of N. Note that in the implementation of 
all the operations of the shopping-cart data type, the macro resol ve(book) for some 
nonnegative integer book is run first, and this macro starts by calling the get operation 
of the items object. Furthermore, (X.H)\p-i( e ) should describe the computation of 
one of such shopping-cart operations, because (X.H) \p-i( e ) € [ \{C 0 } oe o\obj(N.p, _). 
Hence, 

3eo € /3 _1 (e). Xop(e 0 ) = get. 

It is sufficient to show that this eo satisfies the following property: 

\/book. max ({0} U (n | (book, n) E X.rval(e 0 )}) = F caTt (contains(book), N.M). 

(66) 

We will prove the following slightly more general fact. For every E' C (N.E) closed 
under JV.vis -1 (i.e., N.v\s~ 1 (E > ) C E'), if we let E' 0 = fj~ l (E r ) and N' = N\ E i, we 
have that 

Mbook. F cart (contains(6oofc), iV'.M) = (67) 

max ({0} U {n\ (book,n) € E^ SRi (get, E' () , X.aop|,.,',X.vis|/.;<, X.af|/;')}). 

where N'.M is the partial context of N'. Note that this implies (66) because 

E' 0 = /3 -1 ( N.E ) => ctxt(W,e 0 ) = (get, E' 0 , X.aop| E /, X.vis|X.ar|) . 

Our proof of (67) is based on the induction on the size of E'. The base case is that 
E' = 0. In this case, the RHS of (67) is 0. Also, since E' is empty, so is E' 0 = /3~ ' (E r ). 
Thus, FAWset(g et ; • • •) on the LHS of (67) returns the empty set, from which follows 
that the LHS is 0. 

Next we handle the inductive case. Let E’ be a nonempty A r .vis~ ' -closed subset of 
N.E. Let 

E^ = fi \E') and N' = N\ E >. 

Pick a nonnegative integer book. Let 7r be a maximal vis-path of events in E' that operate 
on book and G(ir) = F cart (contains(6ooA:), N'.M), if such ir exists. Otherwise, we 
set7r = e, so that G(n) = F cart (contains(book), N'.M) even in this degenerate case. 
If G(n) = 0, 

F caxt (conta.ins(book), N'.M) = 0 < 

max ({0} U {n \ (book,n) € F AWset (get,E',Xaop|^,Xvis|^,Xar|^)}). 

Otherwise, 7r should be of the form n'f. Let 

E" = (N.v\s)~ 1 (f), E” = p~\E"), N" = N\ E n, E'" = E" U {/}, 

E'q = p~ 1 (E"'), and N"' = N\ E ,„. 



By the induction hypothesis, 

JF C art (cont ains ( book) , N". M) = 

max ({0} U {n | (book,n ) g F AWset (get,EQ,Xaop| E '',X.vis| E '/,Xar| B //)}). 
By the claim that we will show at the end of this proof, the above equality implies that 
•Pcart(contains(6oofc), N'".M) = 

max({0}U{n| ( book,n ) g F AWset (get,Fo , ,X.aop| £ ;''/,Xvis| B "/,Xar| £ ;///)}). 
Hence, 

F cart (contains(6oofc), N' .M) 

= G{-k) 

= F cart (contains (600/:), N"'.M) 

= max ({0} U {n| ( book,n ) g F AWset (get,£'o , ,X.aop| £ :''',X.vis| B "',Xar| B ///)}). 
< max ({0} U {n| ( book,n ) g /’AwsetCget. E' 0 . X.aopj/.^, X.vis|/.;'. X.ar|y,;>)}). 
The last inequality holds because for every nonnegative integer n, 

(book,ri) g F A w set (get, Fg 7 , Jf.aop|^;'", Jf.vis], Jf.arj^") (68) 

=> (book, n) g F AWs et(get,Fo,Xaop|B',Xvis|B',Xar| B /). 

This imphcation itself holds for the following reason, n'f is a maximal vis-path 
of events that operate on book, so / is not iV.vis-related to any in c(book,...) 
or dec (book,...) events in E' 0 . This and the fact that (0, l{C 0 }„ e ol obj) : 
X —» (N, e, _) together ensure that all the uncancelled add(600A:,...) events in 
(E'q, X.aop\E' 0 ", X.visl^'", X.ar\E> 0 ») remain uncancelled in the bigger operation con¬ 
text (E' 0 , X.aop|E' , 3f-vis(M s ,X.ar|B'). From this follows the implication in (68). 

Now let n be the maximum of 

{n | (book,n) g F AWset (get,Fo,X.aop| B ',X.vis| B /,X.ar| s j)}, 
if this set is not empty. Otherwise, we set n = 0. If n = 0, 

max ({0} U {n \ (book,n) g F AWset (get,Fo,X.aop| E £,X.vis| B ',X.ar| B /)}) 

= 0 

< F cart (contains(&ooA;), N'.M). 

Assume now that n / 0. Then, there exists / 0 g E' 0 such that X.aop(/o) = 
add(600A, n) and /o is not (X.vis)-related to any event in E' 0 that removes (book, n). 
Let 


f = P(fo), E" = (N.\/\s)~ x (f), E^ = p-\E"), N" = N\e", 
E'" = E" U {/}, F(," = /3~ 1 (E'"), and N"' = N\ E ,„. 





By the induction hypothesis, 

•Fcart(contains(6oofc), N".M) = 

max ({0 } U {to | ( book,m ) G F AWset (get,£",Xaop|^,Xvis|^,Xar|^)})- 
By the claim that we will show at the end of this proof, the above equality implies that 
-Fcart (contains(600/:), N"'.M) = 

max ({0} U {to | ( book,m ) G F AWset (get,Fo , ,X.aop| B //',X.vis| f ;/'/,Xaij £ :///)}). 

All the shopping-cart operations on book remove every entry involving book from the 
items object before adding any entry on book to the same object. Also, the adding 
operation happens at the end of these operations, if it ever happens. Thus, 

{to I (book, to) G F A y set (get, Eq , X.aop\ E > o », X.\/is\ E ' 0 ",X.ar\ E »>)} = {n}. 

From the same reason and the fact that /o is not (X.vis)-related to any event in E' 0 
that removes (book, n), it follows that / is not (A\vis)-related to any event in E' that 
operates on book. Because of these two observations, 

n = F cart (contains(6oofc), < F cart (contains(6oofc), N'.M). 

The only remaining part of our proof is to discharge the following claim: for all 
/ G N.E and nonnegative integers book, if we let 

E" = (N.\i\s)~ 1 (f), EX N" = N\ e „, 

E m = E" U {/}, Eq = P~ 1 (E'"), and N'" = N\ E n,, 
and 

F cart (contains(6oofc), N".M) = 

max ({0} U {n | ( book,n ) G F AWset (get,FQ,Xaop| B '',X.vis| B »,X.ar| B '/)}), 

(69) 

then 

F cart (contains(&ooA;), N"'.M) = 

max ({0} U {n | (book,n) G F AWset (get, FQ , ,X.aop| B '",X.vis| B '",X.ar| B ///)}). 

(70) 

Pick / G N.E and book. Define E", E'", Eq, E(”, N", N'" as described in our claim 
above. Also, assume that these data satisfy the equality in (69). We will prove the re¬ 
quired equality in (70) by the case analysis on A 7 .aop(/). Since 

V/' G (N.E). (X.H) G l{C 0 } oe o}obj(N .aop(f), _) 

and [{C 0 }oeo] obj is defined only for the inc, dec and contains operations with 
nonnegative integer arguments, we only need to consider the following three cases of 
N.aop(f): 

N.aop(f) = inc(book',n') V N.aop(f) = dec(book',n') 

V W.aop(/) = contains (book 1 ) 
for some nonnegative integers book' and n!. 



- Assume that N.aop(f ) = inc(book', n!) for nonnegative integers book' and n'. If 
book ^ book 1 , 

-F cart (contains(&ooA;), N'".M) 

= -F cart (contains(6ooA;), N" .M) 

= max({0} U {n \ (book, n) £ F AWset (get, Eft, X.aop| B '',Xvis| £ '/, Xarj^)}) 

= max({0} U {n \ (book, n) £ F AWset (get, £'o",Xaop| £ ;'",X.vis| B »',Xar| B / i //)}). 

The first equality comes from the definition of F cart and the fact that book' 7^ book, 
and the second holds because of the assumption (69). The third holds because none 
of the events in E' ( ” — Efi is an inc or dec operation involving book. Assume now 
that book = book'. 

^cart(contains(6ooA;), N'" .M) 

= F cart (contains(6ooA;), N".M) + n' 

= max({0} U {n \ (book, n) £ f AWset ( get, Eq, X.aopl^jXvisI^;//, Xarj^)}) + n' 
= max{n | (book, n) £ F AWset (get, E'q ,X.ao<p\ E ^,X.M\s\ E ^,X.ar\ E ^)} 

= max({0} U {n \ (book, n) £ F AWset (get, Fo , ,Xaop| £ :''',X.vis| B "',Xar| B //')}). 

The first equality holds because N'" is the extension of N" with the A"'.vis- 
maximum event / and the operation performed by / is inc (bookin') = 
inc (book,n'). The second comes from the assumption (69). The third holds be¬ 
cause the implementation of the inc(book', n'j operation removes all the elements 
involving book' from the items set and adds the following tuple to the set: 

(book', 

max({0} U {n | (book, n) £ F AWset (get, E((, X.aop| B ", Xvis| B ", X.ar\ E »)}) + n'). 
Furthermore, by the same reason, for every nonnegative integer n, 

(book, n) £ F AWset (get, Ao",X.aop| B '", A.vis| E '",X.ar| E ///) 


max({0} U {n \ (book, n ) e F AWset (get, Eq , Xaop| B ", Xvis| B », Xar| B //)}) -(- n'. 

From this and the fact that n' > 0 follows the last equality in our derivation above. 

- Assume that A’.aopf/) = dec(book', n r ) for nonnegative integers book' and n'. 
The overall structure of the proof of this case is similar to that of the previous one. 

If book 7^ book', 

F cart (contains(6ooA;), N"' .M) 

= F cart (contains(6oofc), N" .M) 

= max ({0}U{n | (book,n) £ F AWset (get, Fq , X.aop| B ", X.v\s\ E > o >,X.ar\ E >>)}) 

= max({0}U{n | (book,n) £ F AWset (get,F0 , ,Xaop|£'",Xvis|£'",Xar| B "/)}). 



The reasons for all the equalities are identical to those used in the previous case. 
The first equality comes from the definition of F caxt and the fact that book' ^ book, 
and the second from the assumption (69). The third holds because none of the 
events in E' ( ” — Eq is an inc or dec operation involving book. Assume now that 
book = book'. 

-F C art(contains(&ooA;), N'" .M) 

= max{0, F cart (contains(6oofc), N".M) — n'} 

= max{0, max ({0} U 

{n | (6oofc,n) eF AWset (get,E( l , ,X.aop| E '',Xvis| f ;'', X.ar| £ //)}) 

-n'} 

= max({0} U {n \ (book, n) € F AWse t(get, £'o",Xaop| £ :'",Xvis|£;"',Xar| B ///)}). 

The first equality holds because N'" is the extension of N" with /, this / event is 
a maximum according to the A'".vis relation, and the operation performed by / is 
d ec(book', n') = d ec(book, nl ). The second comes from the assumption (69). Fi¬ 
nally, observe that the implementation of the inc(book', n') operation removes all 
the elements involving book = book' from the items object and adds the following 
tuple to the object: 

(book, 

max({0} U {n \ (book,n) € F kVset (get, Eq ,Xaop| B ",Xvis| B ",Xar| B ,/)}) - n') 

if the second component of the tuple is positive; otherwise, it does not add any 
tuple. The third equality follows from this observation. 

- Assume that Xaop(/) = contains (book') for a nonnegative integer book'. If 
book ^ book , 

^cart(contains(6ooA;), N'" .M) 

= F cart (contains(6ooA;), N".M) 

= max({0} U {n \ (book, n) € ^^(get, Eft, X.aop| B '',Xvis| s //, Xarj^)}) 

= max({0} U {n | (book, n) € i ? AWset (get, £o , ,Xaop| £ ;'",Xvis| B '",Xar| B / i //)}). 

The reasons for all the equalities are identical to those used in the previous two 
cases. Assume now that book = book'. 

^cart(contains(6ooA;), N'" .M) 

= F cart (contains(&ooA;), N".M) 

= max({0} U {n \ (book, n) € F &yset ( get, Eq , X.aop| B '',Xvis| £ //, Xarj^)}) 

= max({0} U {n \ (book,n) € F AWset ( get, Eq, A.aopl/.-'-^Xvisl^w, X.ar|;.^«)}). 

The first equality holds because N'" is the extension of N" with /, this / event 
is maximum in N"'.E according to the A'".vis relation, and the operation per¬ 
formed by / is contains(6oofc / ) = contains(&<%>&). The second comes from 
the assumption (69). The third equality holds because the implementation of the 



contains (book') operation removes all the elements involving book = book' from 
the items object and adds the following tuple to the object: 


(book, 

max({0} U {n | ( book,n ) ei 7 AWset(get,£?o,Xaop| B y,X.vis| B »,Xar|^})). 

□ 


E.3 An example of composing last-writer-wins objects 

We now illustrate that composing objects with last-writer-wins conflict-resolution poli¬ 
cies yields an object with the same policy. To this end, we use the primitive data type 
LWWreg of a last-writer-wins register. The data type has the signature {write, read} 
and its specification F LWreg is defined as follows. We let F LWWreg ((write, a), M) = _L 
and let F LWWreg ((read, _L), M) be defined if and only if M.ar is a total order on the set 
{e £ M.E | M.aop(e) = (write, _)}; in this case F LWreg returns the parameter of the 
last write event in this order, or _L if there are no such events. 

The following composite data type combines operations on a pair of last-writer-wins 
registers: 


-Dp air = let {xi = new LWWreg; x<i = new LWWreg} in { 
write(ui, U2) = atomic { a:i.write(ui); a:2.write(u2) }; 
read = atomic { v out = (x\. read, X 2 - read) } } 

This data type satisfies the specification F Pair that is analogous to F LWreg , but oper¬ 
ates on pairs of values: F PaiT (( get, _L), M) returns the pair of values supplied as the 
parameter to the last write operation in the context according to M.ar, or _L if there 
are none; it is undefined if M.ar does not totally order write operations. We omit the 
trivial proof that F Pair is indeed the denotation of D Pair . 



